deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-11 21:07:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Fixing TechNet and MSDN links plus refreshing articles 6

Browse Source
This commit is contained in:
Frank Rojas 2024-02-02 19:42:00 -05:00
commit 6cdbbf5556
98 changed files with 5033 additions and 3618 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.openpublishing.redirection.json
View File

@ -1757,7 +1757,7 @@
},
{
"source_path": "windows/deploy/deploy-whats-new.md",
"redirect_url": "/windows/deployment/deploy-whats-new",
"redirect_url": "/windows/deployment/",
"redirect_document_id": false
},
{

105
.openpublishing.redirection.windows-configuration.json
View File

@ -280,6 +280,111 @@
"redirect_url": "/windows/configuration/windows-diagnostic-data",
"redirect_document_id": false
},
{
"source_path":"windows/configuration/cortana-at-work/cortana-at-work-feedback.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-feedback",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/cortana-at-work-o365.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-o365",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/cortana-at-work-overview.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-overview",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-policy-settings",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-1",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-2",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-3",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-4",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-5",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-6",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-7",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-testing-scenarios",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-voice-commands",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/test-scenario-1.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/test-scenario-1",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/test-scenario-2.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/test-scenario-2",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/test-scenario-3.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/test-scenario-3",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/test-scenario-4.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/test-scenario-4",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/test-scenario-5.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/test-scenario-5",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/test-scenario-6.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/test-scenario-6",
"redirect_document_id":false
},
{
"source_path": "windows/configuration/windows-diagnostic-data.md",
"redirect_url": "/windows/privacy/windows-diagnostic-data",

14
.openpublishing.redirection.windows-deployment.json
View File

@ -187,7 +187,7 @@
},
{
"source_path": "windows/deployment/update/change-history-for-update-windows-10.md",
"redirect_url": "/windows/deployment/deploy-whats-new",
"redirect_url": "/windows/deployment/",
"redirect_document_id": false
},
{
@ -754,7 +754,7 @@
"source_path": "windows/deployment/do/mcc-enterprise-portal-deploy.md",
"redirect_url": "/windows/deployment/do/mcc-enterprise-deploy",
"redirect_document_id": false
},
},
{
"source_path": "windows/deployment/windows-autopatch/deploy/index.md",
"redirect_url": "/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts",
@ -1114,6 +1114,16 @@
"source_path": "windows/deployment/windows-autopilot/windows-autopilot.md",
"redirect_url": "/mem/autopilot/windows-autopilot",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-whats-new.md",
"redirect_url": "/windows/deployment/",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/Windows-AutoPilot-EULA-note.md",
"redirect_url": "/legal/windows/windows-autopilot-eula-note",
"redirect_document_id": false
}
]
}

15
windows/client-management/manage-windows-copilot.md
View File

@ -3,7 +3,7 @@ title: Manage Copilot in Windows
description: Learn how to manage Copilot in Windows for commercial environments using MDM and group policy. Learn about the chat providers available to Copilot in Windows.
ms.topic: conceptual
ms.subservice: windows-copilot
ms.date: 01/22/2024
ms.date: 02/01/2024
ms.author: mstewart
author: mestew
appliesto:
@ -57,7 +57,11 @@ Copilot is a consumer experience and has a daily limit on the number of chat que
- User and organizational data is protected, chat data isn't saved, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing app for iOS or Android aren't currently supported. Copilot with commercial data protection is accessible from mobile browsers, including Edge mobile on iOS and Android. Review the Copilot with commercial data protection [privacy statement](/copilot/privacy-and-protections).
- Copilot with commercial data protection is available, at no additional cost, for the following licenses:
- Microsoft 365 E3 or E5
- Microsoft 365 A3 or A5 for faculty
- Microsoft 365 F3 <!--8681080, 8681034-->
- Microsoft 365 A1, A3, or A5 <!--8681034-->
- Copilot with comercial data protection is limited to faculty and higher education students over 18 years of age
- Office 365 A1, A3, or A5 <!--8681034-->
- Copilot with comercial data protection is limited to faculty and higher education students over 18 years of age
- Microsoft 365 Business Standard
- Microsoft 365 Business Premium
@ -84,8 +88,11 @@ To verify that Copilot with commercial data protection is enabled for the user a
1. Sign into the [Microsoft 365 admin center](https://admin.microsoft.com/).
1. In the admin center, select **Users** > **Active users** and verify that users are assigned a license that includes **Copilot**. Copilot with commercial data protection is included and enabled by default for users that are assigned one of the following licenses:
- Microsoft 365 E3 or E5
- Microsoft 365 A3 or A5 for faculty
- Currently, Microsoft 365 A3 and A5 for faculty requires additional configuration. For more information, see [Manage Copilot](/copilot/manage).
- Microsoft 365 F3 <!--8681080, 8681034-->
- Microsoft 365 A1, A3, or A5
- Copilot with comercial data protection is limited to faculty and higher education students over 18 years of age <!--8681034-->
- Office 365 A1, A3, or A5 <!--8681034-->
- Copilot with comercial data protection is limited to faculty and higher education students over 18 years of age <!--8681034-->
- Microsoft 365 Business Standard
- Microsoft 365 Business Premium
1. To verify that commercial data protection is enabled for the user, select the user's **Display name** to open the flyout menu.

48
windows/client-management/mdm/applicationcontrol-csp-ddf.md
View File

@ -1,7 +1,7 @@
---
title: ApplicationControl DDF file
description: View the XML file containing the device description framework (DDF) for the ApplicationControl configuration service provider.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the A
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.18362</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties>
<Node>
@ -313,6 +313,50 @@ The following XML file contains the device description framework (DDF) for the A
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>BasePolicyId</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The BasePolicyId of the Policy Indicated by the Policy GUID</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>BasePolicyId</DFTitle>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>PolicyOptions</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The PolicyOptions of the Policy Indicated by the Policy GUID</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>PolicyOptions</DFTitle>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>

82
windows/client-management/mdm/applicationcontrol-csp.md
View File

@ -1,7 +1,7 @@
---
title: ApplicationControl CSP
description: Learn more about the ApplicationControl CSP.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -24,12 +24,14 @@ The following list shows the ApplicationControl configuration service provider n
- [{Policy GUID}](#policiespolicy-guid)
- [Policy](#policiespolicy-guidpolicy)
- [PolicyInfo](#policiespolicy-guidpolicyinfo)
- [BasePolicyId](#policiespolicy-guidpolicyinfobasepolicyid)
- [FriendlyName](#policiespolicy-guidpolicyinfofriendlyname)
- [IsAuthorized](#policiespolicy-guidpolicyinfoisauthorized)
- [IsBasePolicy](#policiespolicy-guidpolicyinfoisbasepolicy)
- [IsDeployed](#policiespolicy-guidpolicyinfoisdeployed)
- [IsEffective](#policiespolicy-guidpolicyinfoiseffective)
- [IsSystemPolicy](#policiespolicy-guidpolicyinfoissystempolicy)
- [PolicyOptions](#policiespolicy-guidpolicyinfopolicyoptions)
- [Status](#policiespolicy-guidpolicyinfostatus)
- [Version](#policiespolicy-guidpolicyinfoversion)
- [Tokens](#tokens)
@ -200,6 +202,45 @@ Information Describing the Policy indicated by the GUID.
<!-- Device-Policies-{Policy GUID}-PolicyInfo-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-BasePolicyId-Begin -->
##### Policies/{Policy GUID}/PolicyInfo/BasePolicyId
<!-- Device-Policies-{Policy GUID}-PolicyInfo-BasePolicyId-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1903 [10.0.18362] and later |
<!-- Device-Policies-{Policy GUID}-PolicyInfo-BasePolicyId-Applicability-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-BasePolicyId-OmaUri-Begin -->
```Device
./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/BasePolicyId
```
<!-- Device-Policies-{Policy GUID}-PolicyInfo-BasePolicyId-OmaUri-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-BasePolicyId-Description-Begin -->
<!-- Description-Source-DDF -->
The BasePolicyId of the Policy Indicated by the Policy GUID.
<!-- Device-Policies-{Policy GUID}-PolicyInfo-BasePolicyId-Description-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-BasePolicyId-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-BasePolicyId-Editable-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-BasePolicyId-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Get |
<!-- Device-Policies-{Policy GUID}-PolicyInfo-BasePolicyId-DFProperties-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-BasePolicyId-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-BasePolicyId-Examples-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-BasePolicyId-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-FriendlyName-Begin -->
##### Policies/{Policy GUID}/PolicyInfo/FriendlyName
@ -446,6 +487,45 @@ TRUE/FALSE if the Policy is a System Policy, that's a policy managed by Microsof
<!-- Device-Policies-{Policy GUID}-PolicyInfo-IsSystemPolicy-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-PolicyOptions-Begin -->
##### Policies/{Policy GUID}/PolicyInfo/PolicyOptions
<!-- Device-Policies-{Policy GUID}-PolicyInfo-PolicyOptions-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1903 [10.0.18362] and later |
<!-- Device-Policies-{Policy GUID}-PolicyInfo-PolicyOptions-Applicability-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-PolicyOptions-OmaUri-Begin -->
```Device
./Vendor/MSFT/ApplicationControl/Policies/{Policy GUID}/PolicyInfo/PolicyOptions
```
<!-- Device-Policies-{Policy GUID}-PolicyInfo-PolicyOptions-OmaUri-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-PolicyOptions-Description-Begin -->
<!-- Description-Source-DDF -->
The PolicyOptions of the Policy Indicated by the Policy GUID.
<!-- Device-Policies-{Policy GUID}-PolicyInfo-PolicyOptions-Description-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-PolicyOptions-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-PolicyOptions-Editable-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-PolicyOptions-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Get |
<!-- Device-Policies-{Policy GUID}-PolicyInfo-PolicyOptions-DFProperties-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-PolicyOptions-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-PolicyOptions-Examples-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-PolicyOptions-End -->
<!-- Device-Policies-{Policy GUID}-PolicyInfo-Status-Begin -->
##### Policies/{Policy GUID}/PolicyInfo/Status

3
windows/client-management/mdm/certificatestore-csp.md
View File

@ -1,7 +1,7 @@
---
title: CertificateStore CSP
description: Learn more about the CertificateStore CSP.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -2384,6 +2384,7 @@ Optional. Notify the client whether enrollment server supports ROBO auto certifi
| Value | Description |
|:--|:--|
| true (Default) | True. |
| false | False. |
<!-- Device-MY-WSTEP-Renew-ROBOSupport-AllowedValues-End -->
<!-- Device-MY-WSTEP-Renew-ROBOSupport-Examples-Begin -->

8
windows/client-management/mdm/certificatestore-ddf-file.md
View File

@ -1,7 +1,7 @@
---
title: CertificateStore DDF file
description: View the XML file containing the device description framework (DDF) for the CertificateStore configuration service provider.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -42,7 +42,7 @@ The following XML file contains the device description framework (DDF) for the C
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties>
<Node>
@ -1252,6 +1252,10 @@ The following XML file contains the device description framework (DDF) for the C
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>True</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>False</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>

10
windows/client-management/mdm/clientcertificateinstall-csp.md
View File

@ -1,7 +1,7 @@
---
title: ClientCertificateInstall CSP
description: Learn more about the ClientCertificateInstall CSP.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -392,7 +392,7 @@ When a value of "2" is contained in PFXCertPasswordEncryptionType, specify the s
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Get, Replace |
| Dependency [EncryptionTypeDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType` <br> Dependency Allowed Value: `[2]` <br> Dependency Allowed Value Type: `Range` <br> |
| Dependency [EncryptionTypeDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType` <br> Dependency Allowed Value: `[2]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- Device-PFXCertInstall-{UniqueID}-PFXCertPasswordEncryptionStore-DFProperties-End -->
<!-- Device-PFXCertInstall-{UniqueID}-PFXCertPasswordEncryptionStore-Examples-Begin -->
@ -492,7 +492,7 @@ The PFX isn't exportable when it's installed to TPM.
| Format | `bool` |
| Access Type | Add, Get, Replace |
| Default Value | true |
| Dependency [KeyLocationDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation` <br> Dependency Allowed Value: `[3]` <br> Dependency Allowed Value Type: `Range` <br> |
| Dependency [KeyLocationDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation` <br> Dependency Allowed Value: `[3]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- Device-PFXCertInstall-{UniqueID}-PFXKeyExportable-DFProperties-End -->
<!-- Device-PFXCertInstall-{UniqueID}-PFXKeyExportable-AllowedValues-Begin -->
@ -1968,7 +1968,7 @@ When a value of "2" is contained in PFXCertPasswordEncryptionType, specify the s
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Get, Replace |
| Dependency [EncryptionTypeDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType` <br> Dependency Allowed Value: `[2]` <br> Dependency Allowed Value Type: `Range` <br> |
| Dependency [EncryptionTypeDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType` <br> Dependency Allowed Value: `[2]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- User-PFXCertInstall-{UniqueID}-PFXCertPasswordEncryptionStore-DFProperties-End -->
<!-- User-PFXCertInstall-{UniqueID}-PFXCertPasswordEncryptionStore-Examples-Begin -->
@ -2066,7 +2066,7 @@ Optional. Used to specify if the private key installed is exportable (can be exp
| Format | `bool` |
| Access Type | Add, Get, Replace |
| Default Value | true |
| Dependency [KeyLocationDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation` <br> Dependency Allowed Value: `[3]` <br> Dependency Allowed Value Type: `Range` <br> |
| Dependency [KeyLocationDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation` <br> Dependency Allowed Value: `[3]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- User-PFXCertInstall-{UniqueID}-PFXKeyExportable-DFProperties-End -->
<!-- User-PFXCertInstall-{UniqueID}-PFXKeyExportable-AllowedValues-Begin -->

70
windows/client-management/mdm/clientcertificateinstall-ddf-file.md
View File

@ -1,7 +1,7 @@
---
title: ClientCertificateInstall DDF file
description: View the XML file containing the device description framework (DDF) for the ClientCertificateInstall configuration service provider.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the C
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties>
<Node>
@ -72,8 +72,8 @@ The following XML file contains the device description framework (DDF) for the C
<Get />
<Replace />
</AccessType>
<Description>Required for PFX certificate installation. A unique ID to differentiate different certificate install requests.
Format is node.
<Description>Required for PFX certificate installation. A unique ID to differentiate different certificate install requests.
Format is node.
Calling Delete on the this node, should delete the certificates and the keys that were installed by the corresponding PFX blob.
</Description>
<DFFormat>
@ -143,7 +143,7 @@ Calling Delete on the this node, should delete the certificates and the keys tha
<Get />
<Replace />
</AccessType>
<Description>Optional.
<Description>Optional.
Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.</Description>
<DFFormat>
<chr />
@ -169,7 +169,7 @@ Specifies the NGC container name (if NGC KSP is chosen for above node). If this
<Get />
<Replace />
</AccessType>
<Description>Required.
<Description>Required.
CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. Add on this node will trigger the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, fKeyExportable) are present before this is called. This will also set the Status node to the current Status of the operation.
If Add is called on this node and a blob already exists, it will fail. If Replace is called on this node, the certificates will be overwritten.
If Add is called on this node for a new PFX, the certificate will be added. If Replace is called on this node when it does not exist, this will fail.
@ -227,7 +227,7 @@ CRYPT_DATA_BLOB on MSDN can be found at http://msdn.microsoft.com/en-us/library/
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Optional. Used to specify if the PFX certificate password is encrypted with a certificate.
If the value is
If the value is
0 - Password is not encrypted
1- Password is encrypted using the MDM certificate by the MDM server
2 - Password is encrypted by a Custom Certificate by the MDM server. When this value is used here, also specify the custom store name in the PFXCertPasswordEncryptionStore node.</Description>
@ -294,7 +294,7 @@ If the value is
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="KeyLocationDependency">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation</MSFT:DependencyUri>
<MSFT:DependencyUri>User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="Range">
<MSFT:Value>[3]</MSFT:Value>
</MSFT:DependencyAllowedValue>
@ -353,7 +353,7 @@ If the value is
<Get />
<Replace />
</AccessType>
<Description>Optional.
<Description>Optional.
When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored. </Description>
<DFFormat>
<chr />
@ -372,7 +372,7 @@ When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="EncryptionTypeDependency">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType</MSFT:DependencyUri>
<MSFT:DependencyUri>User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="Range">
<MSFT:Value>[2]</MSFT:Value>
</MSFT:DependencyAllowedValue>
@ -413,7 +413,7 @@ When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the
<Get />
<Replace />
</AccessType>
<Description>Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests.
<Description>Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests.
Calling Delete on the this node, should delete the corresponding SCEP certificate</Description>
<DFFormat>
<node />
@ -596,7 +596,7 @@ Calling Delete on the this node, should delete the corresponding SCEP certificat
<Replace />
</AccessType>
<DefaultValue>3</DefaultValue>
<Description>Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN.
<Description>Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN.
SCEP enrolled cert doesnt support TPM PIN protection. </Description>
<DFFormat>
<int />
@ -640,7 +640,7 @@ SCEP enrolled cert doesnt support TPM PIN protection. </Description>
<Replace />
</AccessType>
<DefaultValue>5</DefaultValue>
<Description>Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes.
<Description>Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes.
Default value is: 5
The min value is 1. </Description>
@ -725,7 +725,7 @@ The min value is 0 which means no retry. </Description>
<Get />
<Replace />
</AccessType>
<Description>Required for enrollment. Specify private key length (RSA).
<Description>Required for enrollment. Specify private key length (RSA).
Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength.</Description>
<DFFormat>
<int />
@ -764,7 +764,7 @@ Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength.</D
<Get />
<Replace />
</AccessType>
<Description>Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +.
<Description>Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +.
For NGC, only SHA256 is supported as the supported algorithm</Description>
<DFFormat>
@ -845,7 +845,7 @@ For NGC, only SHA256 is supported as the supported algorithm</Description>
<Replace />
</AccessType>
<DefaultValue>Days</DefaultValue>
<Description>Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years.
<Description>Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years.
MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the servers decision on how to use this valid period to create the certificate.</Description>
<DFFormat>
<chr />
@ -885,7 +885,7 @@ MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
<Description>Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
NOTE: The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the servers decision on how to use this valid period to create the certificate.</Description>
<DFFormat>
<int />
@ -912,7 +912,7 @@ NOTE: The device only sends the MDM server expected certificate validation perio
<Get />
<Replace />
</AccessType>
<Description>Optional.
<Description>Optional.
Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.</Description>
<DFFormat>
<chr />
@ -1122,7 +1122,7 @@ Valid values are:
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties>
<Node>
@ -1155,8 +1155,8 @@ Valid values are:
<Get />
<Replace />
</AccessType>
<Description>Required for PFX certificate installation. A unique ID to differentiate different certificate install requests.
Format is node.
<Description>Required for PFX certificate installation. A unique ID to differentiate different certificate install requests.
Format is node.
Calling Delete on the this node, should delete the certificates and the keys that were installed by the corresponding PFX blob.
</Description>
<DFFormat>
@ -1226,7 +1226,7 @@ Calling Delete on the this node, should delete the certificates and the keys tha
<Get />
<Replace />
</AccessType>
<Description>Optional.
<Description>Optional.
Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.</Description>
<DFFormat>
<chr />
@ -1252,7 +1252,7 @@ Specifies the NGC container name (if NGC KSP is chosen for above node). If this
<Get />
<Replace />
</AccessType>
<Description>Required.
<Description>Required.
CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. Add on this node will trigger the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, fKeyExportable) are present before this is called. This will also set the Status node to the current Status of the operation.
If Add is called on this node and a blob already exists, it will fail. If Replace is called on this node, the certificates will be overwritten.
If Add is called on this node for a new PFX, the certificate will be added. If Replace is called on this node when it does not exist, this will fail.
@ -1310,7 +1310,7 @@ CRYPT_DATA_BLOB on MSDN can be found at http://msdn.microsoft.com/en-us/library/
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Optional. Used to specify if the PFX certificate password is encrypted with a certificate.
If the value is
If the value is
0 - Password is not encrypted
1- Password is encrypted using the MDM certificate by the MDM server
2 - Password is encrypted by a Custom Certificate by the MDM server. When this value is used here, also specify the custom store name in the PFXCertPasswordEncryptionStore node.</Description>
@ -1377,7 +1377,7 @@ If the value is
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="KeyLocationDependency">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation</MSFT:DependencyUri>
<MSFT:DependencyUri>Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="Range">
<MSFT:Value>[3]</MSFT:Value>
</MSFT:DependencyAllowedValue>
@ -1436,7 +1436,7 @@ If the value is
<Get />
<Replace />
</AccessType>
<Description>Optional.
<Description>Optional.
When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored. </Description>
<DFFormat>
<chr />
@ -1455,7 +1455,7 @@ When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="EncryptionTypeDependency">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType</MSFT:DependencyUri>
<MSFT:DependencyUri>Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="Range">
<MSFT:Value>[2]</MSFT:Value>
</MSFT:DependencyAllowedValue>
@ -1496,7 +1496,7 @@ When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the
<Get />
<Replace />
</AccessType>
<Description>Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests.
<Description>Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests.
Calling Delete on the this node, should delete the corresponding SCEP certificate</Description>
<DFFormat>
<node />
@ -1679,7 +1679,7 @@ Calling Delete on the this node, should delete the corresponding SCEP certificat
<Replace />
</AccessType>
<DefaultValue>3</DefaultValue>
<Description>Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN.
<Description>Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN.
SCEP enrolled cert doesnt support TPM PIN protection. </Description>
<DFFormat>
<int />
@ -1723,7 +1723,7 @@ SCEP enrolled cert doesnt support TPM PIN protection. </Description>
<Replace />
</AccessType>
<DefaultValue>5</DefaultValue>
<Description>Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes.
<Description>Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes.
Default value is: 5
The min value is 1. </Description>
@ -1808,7 +1808,7 @@ The min value is 0 which means no retry. </Description>
<Get />
<Replace />
</AccessType>
<Description>Required for enrollment. Specify private key length (RSA).
<Description>Required for enrollment. Specify private key length (RSA).
Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength.</Description>
<DFFormat>
<int />
@ -1847,7 +1847,7 @@ Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength.</D
<Get />
<Replace />
</AccessType>
<Description>Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +.
<Description>Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +.
For NGC, only SHA256 is supported as the supported algorithm</Description>
<DFFormat>
@ -1928,7 +1928,7 @@ For NGC, only SHA256 is supported as the supported algorithm</Description>
<Replace />
</AccessType>
<DefaultValue>Days</DefaultValue>
<Description>Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years.
<Description>Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years.
MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the servers decision on how to use this valid period to create the certificate.</Description>
<DFFormat>
<chr />
@ -1968,7 +1968,7 @@ MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
<Description>Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
NOTE: The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the servers decision on how to use this valid period to create the certificate.</Description>
<DFFormat>
<int />
@ -1995,7 +1995,7 @@ NOTE: The device only sends the MDM server expected certificate validation perio
<Get />
<Replace />
</AccessType>
<Description>Optional.
<Description>Optional.
Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.</Description>
<DFFormat>
<chr />

8
windows/client-management/mdm/clouddesktop-ddf-file.md
View File

@ -1,7 +1,7 @@
---
title: CloudDesktop DDF file
description: View the XML file containing the device description framework (DDF) for the CloudDesktop configuration service provider.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the C
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>9.9</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x88;0xA1;0xA2;0xA4;0xA5;0xBC;0xBF;0xCD;</MSFT:EditionAllowList>
<MSFT:EditionAllowList>0x4;0x30;0x31;0x7E;0x88;0xA1;0xA2;0xA4;0xA5;0xBC;0xBF;0xCD;0xD2;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties>
<Node>
@ -53,7 +53,7 @@ The following XML file contains the device description framework (DDF) for the C
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This node allows to configure different kinds of Boot to Cloud mode. Boot to cloud mode enables users to seamlessly sign-in to a Cloud PC. For using this feature, Cloud Provider application must be installed on the PC and the user must have a Cloud PC provisioned. This node supports the below options: 0. Not Configured. 1. Enable Boot to Cloud Shared PC Mode: Boot to Cloud Shared PC mode allows multiple users to sign-in on the device and use for shared purpose. 2. Enable Boot to Cloud Personal Mode (Cloud only): Personal mode allows user to sign-in on the device using various authentication mechanism configured by their organization (For ex. PIN, Biometrics etc). This mode preserves user personalization, including their profile picture and username in local machine, and facilitates fast account switching.</Description>
<Description>This node allows to configure different kinds of Boot to Cloud mode. Boot to cloud mode enables users to seamlessly sign-in to a Cloud PC. For using this feature, Cloud Provider application must be installed on the PC and the user must have a Cloud PC provisioned. This node supports the below options: 0. Not Configured. 1. Enable Boot to Cloud Shared PC Mode: Boot to Cloud Shared PC mode allows multiple users to sign-in on the device and use for shared purpose. 2. Enable Boot to Cloud Dedicated Mode (Cloud only): Dedicated mode allows user to sign-in on the device using various authentication mechanism configured by their organization (For ex. PIN, Biometrics etc). This mode preserves user personalization, including their profile picture and username in local machine, and facilitates fast account switching.</Description>
<DFFormat>
<int />
</DFFormat>
@ -82,7 +82,7 @@ The following XML file contains the device description framework (DDF) for the C
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>Enable Boot to Cloud Personal Mode (Cloud only)</MSFT:ValueDescription>
<MSFT:ValueDescription>Enable Boot to Cloud Dedicated Mode (Cloud only)</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>

605
windows/client-management/mdm/defender-csp.md
View File

@ -1,7 +1,7 @@
---
title: Defender CSP
description: Learn more about the Defender CSP.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -24,7 +24,20 @@ The following list shows the Defender configuration service provider nodes:
- [AllowNetworkProtectionDownLevel](#configurationallownetworkprotectiondownlevel)
- [AllowNetworkProtectionOnWinServer](#configurationallownetworkprotectiononwinserver)
- [AllowSwitchToAsyncInspection](#configurationallowswitchtoasyncinspection)
- [ArchiveMaxDepth](#configurationarchivemaxdepth)
- [ArchiveMaxSize](#configurationarchivemaxsize)
- [ASROnlyPerRuleExclusions](#configurationasronlyperruleexclusions)
- [BehavioralNetworkBlocks](#configurationbehavioralnetworkblocks)
- [BruteForceProtection](#configurationbehavioralnetworkblocksbruteforceprotection)
- [BruteForceProtectionAggressiveness](#configurationbehavioralnetworkblocksbruteforceprotectionbruteforceprotectionaggressiveness)
- [BruteForceProtectionConfiguredState](#configurationbehavioralnetworkblocksbruteforceprotectionbruteforceprotectionconfiguredstate)
- [BruteForceProtectionExclusions](#configurationbehavioralnetworkblocksbruteforceprotectionbruteforceprotectionexclusions)
- [BruteForceProtectionMaxBlockTime](#configurationbehavioralnetworkblocksbruteforceprotectionbruteforceprotectionmaxblocktime)
- [RemoteEncryptionProtection](#configurationbehavioralnetworkblocksremoteencryptionprotection)
- [RemoteEncryptionProtectionAggressiveness](#configurationbehavioralnetworkblocksremoteencryptionprotectionremoteencryptionprotectionaggressiveness)
- [RemoteEncryptionProtectionConfiguredState](#configurationbehavioralnetworkblocksremoteencryptionprotectionremoteencryptionprotectionconfiguredstate)
- [RemoteEncryptionProtectionExclusions](#configurationbehavioralnetworkblocksremoteencryptionprotectionremoteencryptionprotectionexclusions)
- [RemoteEncryptionProtectionMaxBlockTime](#configurationbehavioralnetworkblocksremoteencryptionprotectionremoteencryptionprotectionmaxblocktime)
- [DataDuplicationDirectory](#configurationdataduplicationdirectory)
- [DataDuplicationLocalRetentionPeriod](#configurationdataduplicationlocalretentionperiod)
- [DataDuplicationMaximumQuota](#configurationdataduplicationmaximumquota)
@ -356,6 +369,88 @@ Control whether network protection can improve performance by switching from rea
<!-- Device-Configuration-AllowSwitchToAsyncInspection-End -->
<!-- Device-Configuration-ArchiveMaxDepth-Begin -->
### Configuration/ArchiveMaxDepth
<!-- Device-Configuration-ArchiveMaxDepth-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-ArchiveMaxDepth-Applicability-End -->
<!-- Device-Configuration-ArchiveMaxDepth-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/ArchiveMaxDepth
```
<!-- Device-Configuration-ArchiveMaxDepth-OmaUri-End -->
<!-- Device-Configuration-ArchiveMaxDepth-Description-Begin -->
<!-- Description-Source-DDF -->
Specify the maximum folder depth to extract from archive files for scanning. If this configuration is off or not set, the default value (0) is applied, and all archives are extracted up to the deepest folder for scanning.
<!-- Device-Configuration-ArchiveMaxDepth-Description-End -->
<!-- Device-Configuration-ArchiveMaxDepth-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-ArchiveMaxDepth-Editable-End -->
<!-- Device-Configuration-ArchiveMaxDepth-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-4294967295]` |
| Default Value | 0 |
<!-- Device-Configuration-ArchiveMaxDepth-DFProperties-End -->
<!-- Device-Configuration-ArchiveMaxDepth-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-ArchiveMaxDepth-Examples-End -->
<!-- Device-Configuration-ArchiveMaxDepth-End -->
<!-- Device-Configuration-ArchiveMaxSize-Begin -->
### Configuration/ArchiveMaxSize
<!-- Device-Configuration-ArchiveMaxSize-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-ArchiveMaxSize-Applicability-End -->
<!-- Device-Configuration-ArchiveMaxSize-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/ArchiveMaxSize
```
<!-- Device-Configuration-ArchiveMaxSize-OmaUri-End -->
<!-- Device-Configuration-ArchiveMaxSize-Description-Begin -->
<!-- Description-Source-DDF -->
Specify the maximum size, in KB, of archive files to be extracted and scanned. If this configuration is off or not set, the default value (0) is applied, and all archives are extracted and scanned regardless of size.
<!-- Device-Configuration-ArchiveMaxSize-Description-End -->
<!-- Device-Configuration-ArchiveMaxSize-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-ArchiveMaxSize-Editable-End -->
<!-- Device-Configuration-ArchiveMaxSize-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-4294967295]` |
| Default Value | 0 |
<!-- Device-Configuration-ArchiveMaxSize-DFProperties-End -->
<!-- Device-Configuration-ArchiveMaxSize-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-ArchiveMaxSize-Examples-End -->
<!-- Device-Configuration-ArchiveMaxSize-End -->
<!-- Device-Configuration-ASROnlyPerRuleExclusions-Begin -->
### Configuration/ASROnlyPerRuleExclusions
@ -395,6 +490,485 @@ Apply ASR only per rule exclusions.
<!-- Device-Configuration-ASROnlyPerRuleExclusions-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-Begin -->
### Configuration/BehavioralNetworkBlocks
<!-- Device-Configuration-BehavioralNetworkBlocks-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-BehavioralNetworkBlocks-Applicability-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks
```
<!-- Device-Configuration-BehavioralNetworkBlocks-OmaUri-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Device-Configuration-BehavioralNetworkBlocks-Description-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-Editable-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `node` |
| Access Type | Get |
<!-- Device-Configuration-BehavioralNetworkBlocks-DFProperties-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-Examples-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-Begin -->
#### Configuration/BehavioralNetworkBlocks/BruteForceProtection
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-Applicability-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/BruteForceProtection
```
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-OmaUri-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-Description-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-Editable-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `node` |
| Access Type | Get |
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-DFProperties-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-Examples-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-Begin -->
##### Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionAggressiveness
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-Applicability-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionAggressiveness
```
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-OmaUri-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-Description-Begin -->
<!-- Description-Source-DDF -->
Set the criteria for when Brute-Force Protection blocks IP addresses.
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-Description-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-Editable-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-DFProperties-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Low: Only IP addresses that are 100% confidence malicious (default). |
| 1 | Medium: Use cloud aggregation to block IP addresses that are over 99% likely malicious. |
| 2 | High: Block IP addresses identified using client intelligence and context to block IP addresses that are over 90% likely malicious. |
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-AllowedValues-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-Examples-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionAggressiveness-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-Begin -->
##### Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionConfiguredState
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-Applicability-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionConfiguredState
```
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-OmaUri-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-Description-Begin -->
<!-- Description-Source-DDF -->
Brute-Force Protection in Microsoft Defender Antivirus detects and blocks attempts to forcibly sign in and initiate sessions.
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-Description-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-Editable-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-DFProperties-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Not configured: Apply defaults set by the antivirus engine and platform. |
| 1 | Block: Prevent suspicious and malicious behaviors. |
| 2 | Audit: Generate EDR detections without blocking. |
| 4 | Off: Feature is disabled with no performance impact. |
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-AllowedValues-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-Examples-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionConfiguredState-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionExclusions-Begin -->
##### Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionExclusions
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionExclusions-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionExclusions-Applicability-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionExclusions-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionExclusions
```
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionExclusions-OmaUri-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionExclusions-Description-Begin -->
<!-- Description-Source-DDF -->
Specify IP addresses, subnets, or workstation names to exclude from being blocked by Brute-Force Protection. Note that attackers can spoof excluded addresses and names to bypass protection.
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionExclusions-Description-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionExclusions-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionExclusions-Editable-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionExclusions-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `|`) |
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionExclusions-DFProperties-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionExclusions-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionExclusions-Examples-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionExclusions-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionMaxBlockTime-Begin -->
##### Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionMaxBlockTime
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionMaxBlockTime-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionMaxBlockTime-Applicability-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionMaxBlockTime-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/BruteForceProtection/BruteForceProtectionMaxBlockTime
```
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionMaxBlockTime-OmaUri-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionMaxBlockTime-Description-Begin -->
<!-- Description-Source-DDF -->
Set the maximum time an IP address is blocked by Brute-Force Protection. After this time, blocked IP addresses will be able to sign-in and initiate sessions. If set to 0, internal feature logic will determine blocking time.
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionMaxBlockTime-Description-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionMaxBlockTime-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionMaxBlockTime-Editable-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionMaxBlockTime-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-4294967295]` |
| Default Value | 0 |
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionMaxBlockTime-DFProperties-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionMaxBlockTime-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionMaxBlockTime-Examples-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-BruteForceProtection-BruteForceProtectionMaxBlockTime-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-Begin -->
#### Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-Applicability-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection
```
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-OmaUri-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-Description-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-Editable-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `node` |
| Access Type | Get |
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-DFProperties-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-Examples-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-Begin -->
##### Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionAggressiveness
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-Applicability-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionAggressiveness
```
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-OmaUri-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-Description-Begin -->
<!-- Description-Source-DDF -->
Set the criteria for when Remote Encryption Protection blocks IP addresses.
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-Description-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-Editable-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-DFProperties-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Low: Block only when confidence level is 100% (Default). |
| 1 | Medium: Use cloud aggregation and block when confidence level is above 99%. |
| 2 | High: Use cloud intel and context, and block when confidence level is above 90%. |
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-AllowedValues-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-Examples-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionAggressiveness-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-Begin -->
##### Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionConfiguredState
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-Applicability-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionConfiguredState
```
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-OmaUri-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-Description-Begin -->
<!-- Description-Source-DDF -->
Remote Encryption Protection in Microsoft Defender Antivirus detects and blocks attempts to replace local files with encrypted versions from another device.
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-Description-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-Editable-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-DFProperties-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Not configured: Apply defaults set for the antivirus engine and platform. |
| 1 | Block: Prevent suspicious and malicious behaviors. |
| 2 | Audit: Generate EDR detections without blocking. |
| 4 | Off: Feature is off with no performance impact. |
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-AllowedValues-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-Examples-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionConfiguredState-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionExclusions-Begin -->
##### Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionExclusions
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionExclusions-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionExclusions-Applicability-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionExclusions-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionExclusions
```
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionExclusions-OmaUri-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionExclusions-Description-Begin -->
<!-- Description-Source-DDF -->
Specify IP addresses, subnets, or workstation names to exclude from being blocked by Remote Encryption Protection. Note that attackers can spoof excluded addresses and names to bypass protection.
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionExclusions-Description-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionExclusions-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionExclusions-Editable-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionExclusions-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `|`) |
| Default Value | 0 |
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionExclusions-DFProperties-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionExclusions-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionExclusions-Examples-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionExclusions-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionMaxBlockTime-Begin -->
##### Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionMaxBlockTime
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionMaxBlockTime-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionMaxBlockTime-Applicability-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionMaxBlockTime-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Defender/Configuration/BehavioralNetworkBlocks/RemoteEncryptionProtection/RemoteEncryptionProtectionMaxBlockTime
```
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionMaxBlockTime-OmaUri-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionMaxBlockTime-Description-Begin -->
<!-- Description-Source-DDF -->
Set the maximum time an IP address is blocked by Remote Encryption Protection. After this time, blocked IP addresses will be able to reinitiate connections. If set to 0, internal feature logic will determine blocking time.
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionMaxBlockTime-Description-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionMaxBlockTime-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionMaxBlockTime-Editable-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionMaxBlockTime-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-4294967295]` |
| Default Value | 0 |
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionMaxBlockTime-DFProperties-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionMaxBlockTime-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionMaxBlockTime-Examples-End -->
<!-- Device-Configuration-BehavioralNetworkBlocks-RemoteEncryptionProtection-RemoteEncryptionProtectionMaxBlockTime-End -->
<!-- Device-Configuration-DataDuplicationDirectory-Begin -->
### Configuration/DataDuplicationDirectory
@ -533,7 +1107,7 @@ Defines the maximum data duplication quota in MB that can be collected. When the
<!-- Device-Configuration-DataDuplicationRemoteLocation-Description-Begin -->
<!-- Description-Source-DDF -->
Define data duplication remote location for device control.
Define data duplication remote location for Device Control. When configuring this setting, ensure that Device Control is Enabled and that the provided path is a remote path the user can access.
<!-- Device-Configuration-DataDuplicationRemoteLocation-Description-End -->
<!-- Device-Configuration-DataDuplicationRemoteLocation-Editable-Begin -->
@ -1834,8 +2408,8 @@ This setting enables the DNS Sinkhole feature for Network Protection, respecting
| Value | Description |
|:--|:--|
| 1 (Default) | DNS Sinkhole is disabled. |
| 0 | DNS Sinkhole is enabled. |
| 0 | DNS Sinkhole is disabled. |
| 1 (Default) | DNS Sinkhole is enabled. |
<!-- Device-Configuration-EnableDnsSinkhole-AllowedValues-End -->
<!-- Device-Configuration-EnableDnsSinkhole-Examples-Begin -->
@ -2202,7 +2776,7 @@ Allow managed devices to update through metered connections. Default is 0 - not
<!-- Device-Configuration-NetworkProtectionReputationMode-Description-Begin -->
<!-- Description-Source-DDF -->
This sets the reputation mode for Network Protection.
This sets the reputation mode engine for Network Protection.
<!-- Device-Configuration-NetworkProtectionReputationMode-Description-End -->
<!-- Device-Configuration-NetworkProtectionReputationMode-Editable-Begin -->
@ -2219,6 +2793,15 @@ This sets the reputation mode for Network Protection.
| Default Value | 0 |
<!-- Device-Configuration-NetworkProtectionReputationMode-DFProperties-End -->
<!-- Device-Configuration-NetworkProtectionReputationMode-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Use standard reputation engine. |
| 1 | Use ESP reputation engine. |
<!-- Device-Configuration-NetworkProtectionReputationMode-AllowedValues-End -->
<!-- Device-Configuration-NetworkProtectionReputationMode-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-NetworkProtectionReputationMode-Examples-End -->
@ -2743,9 +3326,19 @@ Defines which device's primary ids should be secured by Defender Device Control.
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Regular Expression: `^RemovableMediaDevices|CdRomDevices|WpdDevices|PrinterDevices$` |
<!-- Device-Configuration-SecuredDevicesConfiguration-DFProperties-End -->
<!-- Device-Configuration-SecuredDevicesConfiguration-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| RemovableMediaDevices | RemovableMediaDevices. |
| CdRomDevices | CdRomDevices. |
| WpdDevices | WpdDevices. |
| PrinterDevices | PrinterDevices. |
<!-- Device-Configuration-SecuredDevicesConfiguration-AllowedValues-End -->
<!-- Device-Configuration-SecuredDevicesConfiguration-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Configuration-SecuredDevicesConfiguration-Examples-End -->

476
windows/client-management/mdm/defender-ddf.md
View File

@ -1,7 +1,7 @@
---
title: Defender DDF file
description: View the XML file containing the device description framework (DDF) for the Defender configuration service provider.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -39,7 +39,7 @@ The following XML file contains the device description framework (DDF) for the D
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties>
<Node>
@ -1747,11 +1747,11 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>DNS Sinkhole is disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>DNS Sinkhole is enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
@ -2464,7 +2464,7 @@ The following XML file contains the device description framework (DDF) for the D
<Get />
<Replace />
</AccessType>
<Description>Define data duplication remote location for device control.</Description>
<Description>Define data duplication remote location for Device Control. When configuring this setting, ensure that Device Control is Enabled and that the provided path is a remote path the user can access.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -2511,8 +2511,23 @@ The following XML file contains the device description framework (DDF) for the D
<MSFT:OsBuildVersion>10.0.17763</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="RegEx">
<MSFT:Value>^RemovableMediaDevices|CdRomDevices|WpdDevices|PrinterDevices$</MSFT:Value>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>RemovableMediaDevices</MSFT:Value>
<MSFT:ValueDescription>RemovableMediaDevices</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>CdRomDevices</MSFT:Value>
<MSFT:ValueDescription>CdRomDevices</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>WpdDevices</MSFT:Value>
<MSFT:ValueDescription>WpdDevices</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>PrinterDevices</MSFT:Value>
<MSFT:ValueDescription>PrinterDevices</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:List Delimiter="|" />
</MSFT:AllowedValues>
</DFProperties>
@ -2837,7 +2852,7 @@ The following XML file contains the device description framework (DDF) for the D
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>This sets the reputation mode for Network Protection.</Description>
<Description>This sets the reputation mode engine for Network Protection.</Description>
<DFFormat>
<int />
</DFFormat>
@ -2854,6 +2869,16 @@ The following XML file contains the device description framework (DDF) for the D
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Use standard reputation engine</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Use ESP reputation engine</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
@ -2934,6 +2959,70 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>ArchiveMaxSize</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Specify the maximum size, in KB, of archive files to be extracted and scanned. If this configuration is off or not set, the default value (0) is applied, and all archives are extracted and scanned regardless of size.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[0-4294967295]</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>ArchiveMaxDepth</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Specify the maximum folder depth to extract from archive files for scanning. If this configuration is off or not set, the default value (0) is applied, and all archives are extracted up to the deepest folder for scanning.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[0-4294967295]</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>ScanOnlyIfIdleEnabled</NodeName>
<DFProperties>
@ -3012,6 +3101,377 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>BehavioralNetworkBlocks</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>
<Node>
<NodeName>RemoteEncryptionProtection</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>RemoteEncryptionProtectionConfiguredState</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Remote Encryption Protection in Microsoft Defender Antivirus detects and blocks attempts to replace local files with encrypted versions from another device.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Not configured: Apply defaults set for the antivirus engine and platform</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Block: Prevent suspicious and malicious behaviors</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>Audit: Generate EDR detections without blocking</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>4</MSFT:Value>
<MSFT:ValueDescription>Off: Feature is off with no performance impact</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>RemoteEncryptionProtectionMaxBlockTime</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Set the maximum time an IP address is blocked by Remote Encryption Protection. After this time, blocked IP addresses will be able to reinitiate connections. If set to 0, internal feature logic will determine blocking time.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[0-4294967295]</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>RemoteEncryptionProtectionAggressiveness</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Set the criteria for when Remote Encryption Protection blocks IP addresses.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Low: Block only when confidence level is 100% (Default)</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Medium: Use cloud aggregation and block when confidence level is above 99%</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>High: Use cloud intel and context, and block when confidence level is above 90%</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>RemoteEncryptionProtectionExclusions</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Specify IP addresses, subnets, or workstation names to exclude from being blocked by Remote Encryption Protection. Note that attackers can spoof excluded addresses and names to bypass protection.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="None">
<MSFT:List Delimiter="|" />
</MSFT:AllowedValues>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>BruteForceProtection</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>BruteForceProtectionConfiguredState</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Brute-Force Protection in Microsoft Defender Antivirus detects and blocks attempts to forcibly sign in and initiate sessions.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Not configured: Apply defaults set by the antivirus engine and platform</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Block: Prevent suspicious and malicious behaviors</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>Audit: Generate EDR detections without blocking</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>4</MSFT:Value>
<MSFT:ValueDescription>Off: Feature is disabled with no performance impact</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>BruteForceProtectionMaxBlockTime</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Set the maximum time an IP address is blocked by Brute-Force Protection. After this time, blocked IP addresses will be able to sign-in and initiate sessions. If set to 0, internal feature logic will determine blocking time.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[0-4294967295]</MSFT:Value>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>BruteForceProtectionAggressiveness</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Set the criteria for when Brute-Force Protection blocks IP addresses.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Low: Only IP addresses that are 100% confidence malicious (default)</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Medium: Use cloud aggregation to block IP addresses that are over 99% likely malicious</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>High: Block IP addresses identified using client intelligence and context to block IP addresses that are over 90% likely malicious</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>BruteForceProtectionExclusions</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Specify IP addresses, subnets, or workstation names to exclude from being blocked by Brute-Force Protection. Note that attackers can spoof excluded addresses and names to bypass protection.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.3</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="None">
<MSFT:List Delimiter="|" />
</MSFT:AllowedValues>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
<Node>
<NodeName>Scan</NodeName>

132
windows/client-management/mdm/devicepreparation-csp.md
View File

@ -1,7 +1,7 @@
---
title: DevicePreparation CSP
description: Learn more about the DevicePreparation CSP.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -26,6 +26,9 @@ The following list shows the DevicePreparation configuration service provider no
- [Progress](#mdmproviderprogress)
- [RebootRequired](#mdmproviderrebootrequired)
- [PageEnabled](#pageenabled)
- [PageErrorCode](#pageerrorcode)
- [PageErrorDetails](#pageerrordetails)
- [PageErrorPhase](#pageerrorphase)
- [PageSettings](#pagesettings)
- [PageStatus](#pagestatus)
<!-- DevicePreparation-Tree-End -->
@ -306,6 +309,133 @@ This node determines whether to show the Device Preparation page during OOBE.
<!-- Device-PageEnabled-End -->
<!-- Device-PageErrorCode-Begin -->
## PageErrorCode
<!-- Device-PageErrorCode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-PageErrorCode-Applicability-End -->
<!-- Device-PageErrorCode-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/DevicePreparation/PageErrorCode
```
<!-- Device-PageErrorCode-OmaUri-End -->
<!-- Device-PageErrorCode-Description-Begin -->
<!-- Description-Source-DDF -->
This node provides specific overall HRESULT causing a fatal error on the Device Preparation page. This node is valid only if the PageErrorPhase node's value isn't Unknown.
<!-- Device-PageErrorCode-Description-End -->
<!-- Device-PageErrorCode-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-PageErrorCode-Editable-End -->
<!-- Device-PageErrorCode-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Get |
<!-- Device-PageErrorCode-DFProperties-End -->
<!-- Device-PageErrorCode-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-PageErrorCode-Examples-End -->
<!-- Device-PageErrorCode-End -->
<!-- Device-PageErrorDetails-Begin -->
## PageErrorDetails
<!-- Device-PageErrorDetails-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-PageErrorDetails-Applicability-End -->
<!-- Device-PageErrorDetails-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/DevicePreparation/PageErrorDetails
```
<!-- Device-PageErrorDetails-OmaUri-End -->
<!-- Device-PageErrorDetails-Description-Begin -->
<!-- Description-Source-DDF -->
This node provides optional details for any fatal error on the Device Preparation page. This node is valid only if the PageErrorPhase node's value isn't Unknown, but not all errors will have details.
<!-- Device-PageErrorDetails-Description-End -->
<!-- Device-PageErrorDetails-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-PageErrorDetails-Editable-End -->
<!-- Device-PageErrorDetails-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Get |
<!-- Device-PageErrorDetails-DFProperties-End -->
<!-- Device-PageErrorDetails-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-PageErrorDetails-Examples-End -->
<!-- Device-PageErrorDetails-End -->
<!-- Device-PageErrorPhase-Begin -->
## PageErrorPhase
<!-- Device-PageErrorPhase-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-PageErrorPhase-Applicability-End -->
<!-- Device-PageErrorPhase-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/DevicePreparation/PageErrorPhase
```
<!-- Device-PageErrorPhase-OmaUri-End -->
<!-- Device-PageErrorPhase-Description-Begin -->
<!-- Description-Source-DDF -->
This node provides the specific phase that failed during the Device Preparation page. Values are an enum: 0 = Unknown; 1 = AgentDownload; 2 = AgentProgress.
<!-- Device-PageErrorPhase-Description-End -->
<!-- Device-PageErrorPhase-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-PageErrorPhase-Editable-End -->
<!-- Device-PageErrorPhase-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Get |
<!-- Device-PageErrorPhase-DFProperties-End -->
<!-- Device-PageErrorPhase-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Unknown. |
| 1 | AgentDownload. |
| 2 | AgentProgress. |
<!-- Device-PageErrorPhase-AllowedValues-End -->
<!-- Device-PageErrorPhase-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-PageErrorPhase-Examples-End -->
<!-- Device-PageErrorPhase-End -->
<!-- Device-PageSettings-Begin -->
## PageSettings

81
windows/client-management/mdm/devicepreparation-ddf-file.md
View File

@ -1,7 +1,7 @@
---
title: DevicePreparation DDF file
description: View the XML file containing the device description framework (DDF) for the DevicePreparation configuration service provider.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the D
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties>
<Node>
@ -110,6 +110,83 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>PageErrorPhase</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This node provides the specific phase that failed during the Device Preparation page. Values are an enum: 0 = Unknown; 1 = AgentDownload; 2 = AgentProgress.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Unknown</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>AgentDownload</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>2</MSFT:Value>
<MSFT:ValueDescription>AgentProgress</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>PageErrorCode</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This node provides specific overall HRESULT causing a fatal error on the Device Preparation page. This node is valid only if the PageErrorPhase node's value is not Unknown.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>PageErrorDetails</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This node provides optional details for any fatal error on the Device Preparation page. This node is valid only if the PageErrorPhase node's value is not Unknown, but not all errors will have details.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>PageSettings</NodeName>
<DFProperties>

4
windows/client-management/mdm/dmacc-csp.md
View File

@ -1,7 +1,7 @@
---
title: DMAcc CSP
description: Learn more about the DMAcc CSP.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -709,7 +709,7 @@ Specifies the authentication type. If AAuthLevel is CLCRED, the supported types
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Get, Replace |
| Dependency [AAuthlevelDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/DMAcc/[AccountUID]/AppAuth/[ObjectName]/AAuthLevel` <br> Dependency Allowed Value: `SRVCRED` <br> Dependency Allowed Value Type: `ENUM` <br> |
| Dependency [AAuthlevelDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `Syncml/DMAcc/[AccountUID]/AppAuth/[ObjectName]/AAuthLevel` <br> Dependency Allowed Value: `SRVCRED` <br> Dependency Allowed Value Type: `ENUM` <br> |
<!-- Device-{AccountUID}-AppAuth-{ObjectName}-AAuthType-DFProperties-End -->
<!-- Device-{AccountUID}-AppAuth-{ObjectName}-AAuthType-AllowedValues-Begin -->

6
windows/client-management/mdm/dmacc-ddf-file.md
View File

@ -1,7 +1,7 @@
---
title: DMAcc DDF file
description: View the XML file containing the device description framework (DDF) for the DMAcc configuration service provider.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the D
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties>
<Node>
@ -527,7 +527,7 @@ The following XML file contains the device description framework (DDF) for the D
</MSFT:Enum>
</MSFT:DependencyChangedAllowedValues>
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/DMAcc/[AccountUID]/AppAuth/[ObjectName]/AAuthLevel</MSFT:DependencyUri>
<MSFT:DependencyUri>Syncml/DMAcc/[AccountUID]/AppAuth/[ObjectName]/AAuthLevel</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>SRVCRED</MSFT:Value>

44
windows/client-management/mdm/healthattestation-csp.md
View File

@ -1,7 +1,7 @@
---
title: HealthAttestation CSP
description: Learn more about the HealthAttestation CSP.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,6 +9,8 @@ ms.date: 01/18/2024
<!-- HealthAttestation-Begin -->
# HealthAttestation CSP
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- HealthAttestation-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The Device HealthAttestation configuration service provider (DHA-CSP) enables enterprise IT administrators to assess if a device is booted to a trusted and compliant state, and to take enterprise policy actions.
@ -25,6 +27,7 @@ The following list is a description of the functions performed by the Device Hea
The following list shows the HealthAttestation configuration service provider nodes:
- ./Vendor/MSFT/HealthAttestation
- [AttestErrorMessage](#attesterrormessage)
- [AttestStatus](#atteststatus)
- [Certificate](#certificate)
- [CorrelationID](#correlationid)
@ -42,6 +45,45 @@ The following list shows the HealthAttestation configuration service provider no
- [VerifyHealth](#verifyhealth)
<!-- HealthAttestation-Tree-End -->
<!-- Device-AttestErrorMessage-Begin -->
## AttestErrorMessage
<!-- Device-AttestErrorMessage-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Device-AttestErrorMessage-Applicability-End -->
<!-- Device-AttestErrorMessage-OmaUri-Begin -->
```Device
./Vendor/MSFT/HealthAttestation/AttestErrorMessage
```
<!-- Device-AttestErrorMessage-OmaUri-End -->
<!-- Device-AttestErrorMessage-Description-Begin -->
<!-- Description-Source-DDF -->
AttestErrorMessage maintains the error message for the last attestation session, if returned by the attestation service.
<!-- Device-AttestErrorMessage-Description-End -->
<!-- Device-AttestErrorMessage-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-AttestErrorMessage-Editable-End -->
<!-- Device-AttestErrorMessage-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Get |
<!-- Device-AttestErrorMessage-DFProperties-End -->
<!-- Device-AttestErrorMessage-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-AttestErrorMessage-Examples-End -->
<!-- Device-AttestErrorMessage-End -->
<!-- Device-AttestStatus-Begin -->
## AttestStatus

29
windows/client-management/mdm/healthattestation-ddf.md
View File

@ -1,7 +1,7 @@
---
title: HealthAttestation DDF file
description: View the XML file containing the device description framework (DDF) for the HealthAttestation configuration service provider.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -40,7 +40,7 @@ The following XML file contains the device description framework (DDF) for the H
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties>
<Node>
@ -416,6 +416,31 @@ The following XML file contains the device description framework (DDF) for the H
</MSFT:Applicability>
</DFProperties>
</Node>
<Node>
<NodeName>AttestErrorMessage</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>AttestErrorMessage maintains the error message for the last attestation session, if returned by the attestation service.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.4</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>
</Node>
</Node>
</MgmtTree>
```

339
windows/client-management/mdm/laps-csp.md
View File

@ -1,7 +1,7 @@
---
title: LAPS CSP
description: Learn more about the LAPS CSP.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -34,7 +34,13 @@ The following list shows the LAPS configuration service provider nodes:
- [AdministratorAccountName](#policiesadministratoraccountname)
- [ADPasswordEncryptionEnabled](#policiesadpasswordencryptionenabled)
- [ADPasswordEncryptionPrincipal](#policiesadpasswordencryptionprincipal)
- [AutomaticAccountManagementEnableAccount](#policiesautomaticaccountmanagementenableaccount)
- [AutomaticAccountManagementEnabled](#policiesautomaticaccountmanagementenabled)
- [AutomaticAccountManagementNameOrPrefix](#policiesautomaticaccountmanagementnameorprefix)
- [AutomaticAccountManagementRandomizeName](#policiesautomaticaccountmanagementrandomizename)
- [AutomaticAccountManagementTarget](#policiesautomaticaccountmanagementtarget)
- [BackupDirectory](#policiesbackupdirectory)
- [PassphraseLength](#policiespassphraselength)
- [PasswordAgeDays](#policiespasswordagedays)
- [PasswordComplexity](#policiespasswordcomplexity)
- [PasswordExpirationProtectionEnabled](#policiespasswordexpirationprotectionenabled)
@ -420,6 +426,275 @@ If the specified user or group account is invalid the device will fallback to us
<!-- Device-Policies-ADPasswordEncryptionPrincipal-End -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Begin -->
### Policies/AutomaticAccountManagementEnableAccount
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnableAccount
```
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-OmaUri-End -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Description-Begin -->
<!-- Description-Source-DDF -->
Use this setting to configure whether the automatically managed account is enabled or disabled.
- If this setting is enabled, the target account will be enabled.
- If this setting is disabled, the target account will be disabled.
If not specified, this setting defaults to False.
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Description-End -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Editable-End -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `bool` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | False |
| Dependency [AutomaticAccountManagementEnabled] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled` <br> Dependency Allowed Value: `true` <br> Dependency Allowed Value Type: `ENUM` <br> |
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-DFProperties-End -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| False (Default) | The target account will be disabled. |
| True | The target account will be enabled. |
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-AllowedValues-End -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-Examples-End -->
<!-- Device-Policies-AutomaticAccountManagementEnableAccount-End -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-Begin -->
### Policies/AutomaticAccountManagementEnabled
<!-- Device-Policies-AutomaticAccountManagementEnabled-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
<!-- Device-Policies-AutomaticAccountManagementEnabled-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled
```
<!-- Device-Policies-AutomaticAccountManagementEnabled-OmaUri-End -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-Description-Begin -->
<!-- Description-Source-DDF -->
Use this setting to specify whether automatic account management is enabled.
- If this setting is enabled, the target account will be automatically managed.
- If this setting is disabled, the target account won't be automatically managed.
If not specified, this setting defaults to False.
<!-- Device-Policies-AutomaticAccountManagementEnabled-Description-End -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-Editable-End -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `bool` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | False |
<!-- Device-Policies-AutomaticAccountManagementEnabled-DFProperties-End -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| false (Default) | The target account won't be automatically managed. |
| true | The target account will be automatically managed. |
<!-- Device-Policies-AutomaticAccountManagementEnabled-AllowedValues-End -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-Examples-End -->
<!-- Device-Policies-AutomaticAccountManagementEnabled-End -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Begin -->
### Policies/AutomaticAccountManagementNameOrPrefix
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementNameOrPrefix
```
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-OmaUri-End -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Description-Begin -->
<!-- Description-Source-DDF -->
Use this setting to configure the name or prefix of the managed local administrator account.
If specified, the value will be used as the name or name prefix of the managed account.
If not specified, this setting will default to "WLapsAdmin".
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Description-End -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Editable-End -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Dependency [AutomaticAccountManagementEnabled] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled` <br> Dependency Allowed Value: `true` <br> Dependency Allowed Value Type: `ENUM` <br> |
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-DFProperties-End -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-Examples-End -->
<!-- Device-Policies-AutomaticAccountManagementNameOrPrefix-End -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Begin -->
### Policies/AutomaticAccountManagementRandomizeName
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementRandomizeName
```
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-OmaUri-End -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Description-Begin -->
<!-- Description-Source-DDF -->
Use this setting to configure whether the name of the automatically managed account uses a random numeric suffix each time the password is rotated.
If this setting is enabled, the name of the target account will use a random numeric suffix.
If this setting is disbled, the name of the target account won't use a random numeric suffix.
If not specified, this setting defaults to False.
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Description-End -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Editable-End -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `bool` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | False |
| Dependency [AutomaticAccountManagementEnabled] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled` <br> Dependency Allowed Value: `true` <br> Dependency Allowed Value Type: `ENUM` <br> |
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-DFProperties-End -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| False (Default) | The name of the target account won't use a random numeric suffix. |
| True | The name of the target account will use a random numeric suffix. |
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-AllowedValues-End -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-Examples-End -->
<!-- Device-Policies-AutomaticAccountManagementRandomizeName-End -->
<!-- Device-Policies-AutomaticAccountManagementTarget-Begin -->
### Policies/AutomaticAccountManagementTarget
<!-- Device-Policies-AutomaticAccountManagementTarget-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
<!-- Device-Policies-AutomaticAccountManagementTarget-Applicability-End -->
<!-- Device-Policies-AutomaticAccountManagementTarget-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementTarget
```
<!-- Device-Policies-AutomaticAccountManagementTarget-OmaUri-End -->
<!-- Device-Policies-AutomaticAccountManagementTarget-Description-Begin -->
<!-- Description-Source-DDF -->
Use this setting to configure which account is automatically managed.
The allowable settings are:
0=The builtin administrator account will be managed.
1=A new account created by Windows LAPS will be managed.
If not specified, this setting will default to 1.
<!-- Device-Policies-AutomaticAccountManagementTarget-Description-End -->
<!-- Device-Policies-AutomaticAccountManagementTarget-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Policies-AutomaticAccountManagementTarget-Editable-End -->
<!-- Device-Policies-AutomaticAccountManagementTarget-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
| Dependency [AutomaticAccountManagementEnabled] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled` <br> Dependency Allowed Value: `true` <br> Dependency Allowed Value Type: `ENUM` <br> |
<!-- Device-Policies-AutomaticAccountManagementTarget-DFProperties-End -->
<!-- Device-Policies-AutomaticAccountManagementTarget-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Manage the built-in administrator account. |
| 1 (Default) | Manage a new custom administrator account. |
<!-- Device-Policies-AutomaticAccountManagementTarget-AllowedValues-End -->
<!-- Device-Policies-AutomaticAccountManagementTarget-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-AutomaticAccountManagementTarget-Examples-End -->
<!-- Device-Policies-AutomaticAccountManagementTarget-End -->
<!-- Device-Policies-BackupDirectory-Begin -->
### Policies/BackupDirectory
@ -478,6 +753,54 @@ If not specified, this setting will default to 0.
<!-- Device-Policies-BackupDirectory-End -->
<!-- Device-Policies-PassphraseLength-Begin -->
### Policies/PassphraseLength
<!-- Device-Policies-PassphraseLength-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
<!-- Device-Policies-PassphraseLength-Applicability-End -->
<!-- Device-Policies-PassphraseLength-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/LAPS/Policies/PassphraseLength
```
<!-- Device-Policies-PassphraseLength-OmaUri-End -->
<!-- Device-Policies-PassphraseLength-Description-Begin -->
<!-- Description-Source-DDF -->
Use this setting to configure the number of passphrase words.
If not specified, this setting will default to 6 words.
This setting has a minimum allowed value of 3 words.
This setting has a maximum allowed value of 10 words.
<!-- Device-Policies-PassphraseLength-Description-End -->
<!-- Device-Policies-PassphraseLength-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Policies-PassphraseLength-Editable-End -->
<!-- Device-Policies-PassphraseLength-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[3-10]` |
| Default Value | 6 |
| Dependency [PasswordComplexity] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/LAPS/Policies/PasswordComplexity` <br> Dependency Allowed Value: `[6-8]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- Device-Policies-PassphraseLength-DFProperties-End -->
<!-- Device-Policies-PassphraseLength-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Policies-PassphraseLength-Examples-End -->
<!-- Device-Policies-PassphraseLength-End -->
<!-- Device-Policies-PasswordAgeDays-Begin -->
### Policies/PasswordAgeDays
@ -550,9 +873,15 @@ The allowable settings are:
1=Large letters
2=Large letters + small letters
3=Large letters + small letters + numbers
4=Large letters + small letters + numbers + special characters.
4=Large letters + small letters + numbers + special characters
5=Large letters + small letters + numbers + special characters (improved readability)
6=Passphrase (long words)
7=Passphrase (short words)
8=Passphrase (short words with unique prefixes)
If not specified, this setting will default to 4.
Passphrase list taken from "Deep Dive: EFF's New Wordlists for Random Passphrases" by Electronic Frontier Foundation, and is used under a CC-BY-3.0 Attribution license. See <https://go.microsoft.com/fwlink/?linkid=2255471> for more information.
<!-- Device-Policies-PasswordComplexity-Description-End -->
<!-- Device-Policies-PasswordComplexity-Editable-Begin -->
@ -580,6 +909,10 @@ If not specified, this setting will default to 4.
| 2 | Large letters + small letters. |
| 3 | Large letters + small letters + numbers. |
| 4 (Default) | Large letters + small letters + numbers + special characters. |
| 5 | Large letters + small letters + numbers + special characters (improved readability). |
| 6 | Passphrase (long words). |
| 7 | Passphrase (short words). |
| 8 | Passphrase (short words with unique prefixes). |
<!-- Device-Policies-PasswordComplexity-AllowedValues-End -->
<!-- Device-Policies-PasswordComplexity-Examples-Begin -->
@ -683,6 +1016,7 @@ This setting has a maximum allowed value of 64 characters.
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[8-64]` |
| Default Value | 14 |
| Dependency [PasswordComplexity] | Dependency Type: `DependsOn` <br> Dependency URI: `Vendor/MSFT/LAPS/Policies/PasswordComplexity` <br> Dependency Allowed Value: `[1-5]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- Device-Policies-PasswordLength-DFProperties-End -->
<!-- Device-Policies-PasswordLength-Examples-Begin -->
@ -740,6 +1074,7 @@ If not specified, this setting will default to 3 (Reset the password and logoff
| 1 | Reset password: upon expiry of the grace period, the managed account password will be reset. |
| 3 (Default) | Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will be terminated. |
| 5 | Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted. |
| 11 | Reset the password, logoff the managed account, and terminate any remaining processes: upon expiration of the grace period, the managed account password is reset, any interactive logon sessions using the managed account are logged off, and any remaining processes are terminated. |
<!-- Device-Policies-PostAuthenticationActions-AllowedValues-End -->
<!-- Device-Policies-PostAuthenticationActions-Examples-Begin -->

359
windows/client-management/mdm/laps-ddf-file.md
View File

@ -1,7 +1,7 @@
---
title: LAPS DDF file
description: View the XML file containing the device description framework (DDF) for the LAPS configuration service provider.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -194,8 +194,14 @@ The allowable settings are:
2=Large letters + small letters
3=Large letters + small letters + numbers
4=Large letters + small letters + numbers + special characters
5=Large letters + small letters + numbers + special characters (improved readability)
6=Passphrase (long words)
7=Passphrase (short words)
8=Passphrase (short words with unique prefixes)
If not specified, this setting will default to 4.</Description>
If not specified, this setting will default to 4.
Passphrase list taken from "Deep Dive: EFF's New Wordlists for Random Passphrases" by Electronic Frontier Foundation, and is used under a CC-BY-3.0 Attribution license. See https://go.microsoft.com/fwlink/?linkid=2255471 for more information.</Description>
<DFFormat>
<int />
</DFFormat>
@ -225,6 +231,22 @@ If not specified, this setting will default to 4.</Description>
<MSFT:Value>4</MSFT:Value>
<MSFT:ValueDescription>Large letters + small letters + numbers + special characters</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>5</MSFT:Value>
<MSFT:ValueDescription>Large letters + small letters + numbers + special characters (improved readability)</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>6</MSFT:Value>
<MSFT:ValueDescription>Passphrase (long words)</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>7</MSFT:Value>
<MSFT:ValueDescription>Passphrase (short words)</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>8</MSFT:Value>
<MSFT:ValueDescription>Passphrase (short words with unique prefixes)</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
@ -260,6 +282,70 @@ This setting has a maximum allowed value of 64 characters.</Description>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[8-64]</MSFT:Value>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="PasswordComplexity">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/LAPS/Policies/PasswordComplexity</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="Range">
<MSFT:Enum>
<MSFT:Value>[1-5]</MSFT:Value>
<MSFT:ValueDescription>PasswordComplexity configured to generate a password</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>PassphraseLength</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>6</DefaultValue>
<Description>Use this setting to configure the number of passphrase words.
If not specified, this setting will default to 6 words
This setting has a minimum allowed value of 3 words.
This setting has a maximum allowed value of 10 words.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="Range">
<MSFT:Value>[3-10]</MSFT:Value>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="PasswordComplexity">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/LAPS/Policies/PasswordComplexity</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="Range">
<MSFT:Enum>
<MSFT:Value>[6-8]</MSFT:Value>
<MSFT:ValueDescription>PasswordComplexity configured to generate a passphrase</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
@ -567,9 +653,278 @@ If not specified, this setting will default to 3 (Reset the password and logoff
<MSFT:Value>5</MSFT:Value>
<MSFT:ValueDescription>Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>11</MSFT:Value>
<MSFT:ValueDescription>Reset the password, logoff the managed account, and terminate any remaining processes: upon expiration of the grace period, the managed account password is reset, any interactive logon sessions using the managed account are logged off, and any remaining processes are terminated.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>AutomaticAccountManagementEnabled</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>False</DefaultValue>
<Description>Use this setting to specify whether automatic account management is enabled.
If this setting is enabled, the target account will be automatically managed.
If this setting is disabled, the target account will not be automatically managed.
If not specified, this setting defaults to False.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>false</MSFT:Value>
<MSFT:ValueDescription>The target account will not be automatically managed</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>The target account will be automatically managed</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>AutomaticAccountManagementTarget</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>Use this setting to configure which account is automatically managed.
The allowable settings are:
0=The builtin administrator account will be managed.
1=A new account created by Windows LAPS will be managed.
If not specified, this setting will default to 1.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Manage the built-in administrator account</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Manage a new custom administrator account</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="AutomaticAccountManagementEnabled">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>AutomaticAccountManagementEnabled enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>AutomaticAccountManagementNameOrPrefix</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Use this setting to configure the name or prefix of the managed local administrator account.
If specified, the value will be used as the name or name prefix of the managed account.
If not specified, this setting will default to "WLapsAdmin".</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="AutomaticAccountManagementEnabled">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>AutomaticAccountManagementEnabled enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>AutomaticAccountManagementEnableAccount</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>False</DefaultValue>
<Description>Use this setting to configure whether the automatically managed account is enabled or disabled.
If this setting is enabled, the target account will be enabled.
If this setting is disabled, the target account will be disabled.
If not specified, this setting defaults to False.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>False</MSFT:Value>
<MSFT:ValueDescription>The target account will be disabled</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>True</MSFT:Value>
<MSFT:ValueDescription>The target account will be enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="AutomaticAccountManagementEnabled">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>AutomaticAccountManagementEnabled enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
<Node>
<NodeName>AutomaticAccountManagementRandomizeName</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>False</DefaultValue>
<Description>Use this setting to configure whether the name of the automatically managed account uses a random numeric suffix each time the password is rotated.
If this setting is enabled, the name of the target account will use a random numeric suffix.
If this setting is disbled, the name of the target account will not use a random numeric suffix..
If not specified, this setting defaults to False.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.9999</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.1</MSFT:CspVersion>
</MSFT:Applicability>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>False</MSFT:Value>
<MSFT:ValueDescription>The name of the target account will not use a random numeric suffix.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>True</MSFT:Value>
<MSFT:ValueDescription>The name of the target account will use a random numeric suffix.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
<MSFT:DependencyBehavior>
<MSFT:DependencyGroup FriendlyId="AutomaticAccountManagementEnabled">
<MSFT:Dependency Type="DependsOn">
<MSFT:DependencyUri>Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled</MSFT:DependencyUri>
<MSFT:DependencyAllowedValue ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>true</MSFT:Value>
<MSFT:ValueDescription>AutomaticAccountManagementEnabled enabled</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:DependencyAllowedValue>
</MSFT:Dependency>
</MSFT:DependencyGroup>
</MSFT:DependencyBehavior>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Actions</NodeName>

4
windows/client-management/mdm/personalization-csp.md
View File

@ -1,7 +1,7 @@
---
title: Personalization CSP
description: Learn more about the Personalization CSP.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -127,7 +127,7 @@ An http or https Url to a jpg, jpeg or png image that needs to be downloaded and
<!-- Device-CompanyName-Description-Begin -->
<!-- Description-Source-DDF -->
The name of the company to be displayed on the sign-in screen. This setting is currently available for boot to cloud shared pc mode only.
This represents the name of the company. It can be at most 30 characters long. This setting is currently available only for boot to cloud shared pc mode to display the company name on sign-in screen.
<!-- Device-CompanyName-Description-End -->
<!-- Device-CompanyName-Editable-Begin -->

6
windows/client-management/mdm/personalization-ddf.md
View File

@ -1,7 +1,7 @@
---
title: Personalization DDF file
description: View the XML file containing the device description framework (DDF) for the Personalization configuration service provider.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -42,7 +42,7 @@ The following XML file contains the device description framework (DDF) for the P
<MSFT:Applicability>
<MSFT:OsBuildVersion>10.0.16299</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.0</MSFT:CspVersion>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;</MSFT:EditionAllowList>
<MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF;0xD2;</MSFT:EditionAllowList>
</MSFT:Applicability>
</DFProperties>
<Node>
@ -203,7 +203,7 @@ The following XML file contains the device description framework (DDF) for the P
<Get />
<Replace />
</AccessType>
<Description>The name of the company to be displayed on the sign-in screen. This setting is currently available for boot to cloud shared pc mode only.</Description>
<Description>This represents the name of the company. It can be at most 30 characters long. This setting is currently available only for boot to cloud shared pc mode to display the company name on sign-in screen.</Description>
<DFFormat>
<chr />
</DFFormat>

9
windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
View File

@ -1,7 +1,7 @@
---
title: ADMX-backed policies in Policy CSP
description: Learn about the ADMX-backed policies in Policy CSP.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -539,6 +539,8 @@ This article lists the ADMX-backed policies in Policy CSP.
- [HelpQualifiedRootDir_Comp](policy-csp-admx-help.md)
- [RestrictRunFromHelp_Comp](policy-csp-admx-help.md)
- [DisableHHDEP](policy-csp-admx-help.md)
- [AllowChildProcesses](policy-csp-admx-help.md)
- [HideChildProcessMessageBox](policy-csp-admx-help.md)
## ADMX_HelpAndSupport
@ -2515,6 +2517,7 @@ This article lists the ADMX-backed policies in Policy CSP.
- [ConfigureRpcAuthnLevelPrivacyEnabled](policy-csp-printers.md)
- [ConfigureIppPageCountsPolicy](policy-csp-printers.md)
- [ConfigureRedirectionGuardPolicy](policy-csp-printers.md)
- [ConfigureWindowsProtectedPrint](policy-csp-printers.md)
## RemoteAssistance
@ -2587,6 +2590,10 @@ This article lists the ADMX-backed policies in Policy CSP.
- [WPDDevicesDenyReadAccessPerDevice](policy-csp-storage.md)
- [WPDDevicesDenyWriteAccessPerDevice](policy-csp-storage.md)
## Sudo
- [EnableSudo](policy-csp-sudo.md)
## System
- [BootStartDriverInitialization](policy-csp-system.md)

13
windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
View File

@ -1,7 +1,7 @@
---
title: Policies in Policy CSP supported by Group Policy
description: Learn about the policies in Policy CSP supported by Group Policy.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -281,6 +281,9 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [PasswordComplexity](policy-csp-devicelock.md)
- [PasswordHistorySize](policy-csp-devicelock.md)
- [AllowAdministratorLockout](policy-csp-devicelock.md)
- [MinimumPasswordLength](policy-csp-devicelock.md)
- [MinimumPasswordLengthAudit](policy-csp-devicelock.md)
- [RelaxMinimumPasswordLengthLimits](policy-csp-devicelock.md)
## Display
@ -383,14 +386,11 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [DomainMember_DisableMachineAccountPasswordChanges](policy-csp-localpoliciessecurityoptions.md)
- [DomainMember_MaximumMachineAccountPasswordAge](policy-csp-localpoliciessecurityoptions.md)
- [DomainMember_RequireStrongSessionKey](policy-csp-localpoliciessecurityoptions.md)
- [MinimumPasswordLength](policy-csp-localpoliciessecurityoptions.md)
- [MinimumPasswordLengthAudit](policy-csp-localpoliciessecurityoptions.md)
- [RelaxMinimumPasswordLengthLimits](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_DoNotRequireCTRLALTDEL](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_DoNotDisplayLastSignedIn](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_DoNotDisplayUsernameAtSignIn](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_MachineAccountThreshold](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_MachineAccountLockoutThreshold](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_MachineInactivityLimit](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_MessageTextForUsersAttemptingToLogOn](policy-csp-localpoliciessecurityoptions.md)
- [InteractiveLogon_MessageTitleForUsersAttemptingToLogOn](policy-csp-localpoliciessecurityoptions.md)
@ -425,10 +425,12 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [UserAccountControl_UseAdminApprovalMode](policy-csp-localpoliciessecurityoptions.md)
- [UserAccountControl_AllowUIAccessApplicationsToPromptForElevation](policy-csp-localpoliciessecurityoptions.md)
- [UserAccountControl_BehaviorOfTheElevationPromptForAdministrators](policy-csp-localpoliciessecurityoptions.md)
- [UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators](policy-csp-localpoliciessecurityoptions.md)
- [UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](policy-csp-localpoliciessecurityoptions.md)
- [UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated](policy-csp-localpoliciessecurityoptions.md)
- [UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations](policy-csp-localpoliciessecurityoptions.md)
- [UserAccountControl_RunAllAdministratorsInAdminApprovalMode](policy-csp-localpoliciessecurityoptions.md)
- [UserAccountControl_TypeOfAdminApprovalMode](policy-csp-localpoliciessecurityoptions.md)
- [UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation](policy-csp-localpoliciessecurityoptions.md)
- [UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations](policy-csp-localpoliciessecurityoptions.md)
- [UserAccountControl_DetectApplicationInstallationsAndPromptForElevation](policy-csp-localpoliciessecurityoptions.md)
@ -865,6 +867,7 @@ This article lists the policies in Policy CSP that have a group policy mapping.
## WindowsAI
- [TurnOffWindowsCopilot](policy-csp-windowsai.md)
- [DisableAIDataAnalysis](policy-csp-windowsai.md)
## WindowsDefenderSecurityCenter

3
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -1,7 +1,7 @@
---
title: Policy CSP
description: Learn more about the Policy CSP.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -1155,6 +1155,7 @@ Specifies the name/value pair used in the policy. See the individual Area DDFs f
- [Start](policy-csp-start.md)
- [Stickers](policy-csp-stickers.md)
- [Storage](policy-csp-storage.md)
- [Sudo](policy-csp-sudo.md)
- [System](policy-csp-system.md)
- [SystemServices](policy-csp-systemservices.md)
- [TaskManager](policy-csp-taskmanager.md)

104
windows/client-management/mdm/policy-csp-admx-help.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_Help Policy CSP
description: Learn more about the ADMX_Help Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -11,10 +11,62 @@ ms.date: 01/18/2024
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- ADMX_Help-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ADMX_Help-Editable-End -->
<!-- AllowChildProcesses-Begin -->
## AllowChildProcesses
<!-- AllowChildProcesses-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- AllowChildProcesses-Applicability-End -->
<!-- AllowChildProcesses-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_Help/AllowChildProcesses
```
<!-- AllowChildProcesses-OmaUri-End -->
<!-- AllowChildProcesses-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- AllowChildProcesses-Description-End -->
<!-- AllowChildProcesses-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AllowChildProcesses-Editable-End -->
<!-- AllowChildProcesses-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- AllowChildProcesses-DFProperties-End -->
<!-- AllowChildProcesses-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | AllowChildProcesses |
| ADMX File Name | Help.admx |
<!-- AllowChildProcesses-AdmxBacked-End -->
<!-- AllowChildProcesses-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowChildProcesses-Examples-End -->
<!-- AllowChildProcesses-End -->
<!-- DisableHHDEP-Begin -->
## DisableHHDEP
@ -148,6 +200,56 @@ For additional options, see the "Restrict these programs from being launched fro
<!-- HelpQualifiedRootDir_Comp-End -->
<!-- HideChildProcessMessageBox-Begin -->
## HideChildProcessMessageBox
<!-- HideChildProcessMessageBox-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- HideChildProcessMessageBox-Applicability-End -->
<!-- HideChildProcessMessageBox-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_Help/HideChildProcessMessageBox
```
<!-- HideChildProcessMessageBox-OmaUri-End -->
<!-- HideChildProcessMessageBox-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- HideChildProcessMessageBox-Description-End -->
<!-- HideChildProcessMessageBox-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- HideChildProcessMessageBox-Editable-End -->
<!-- HideChildProcessMessageBox-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- HideChildProcessMessageBox-DFProperties-End -->
<!-- HideChildProcessMessageBox-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | HideChildProcessMessageBox |
| ADMX File Name | Help.admx |
<!-- HideChildProcessMessageBox-AdmxBacked-End -->
<!-- HideChildProcessMessageBox-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- HideChildProcessMessageBox-Examples-End -->
<!-- HideChildProcessMessageBox-End -->
<!-- RestrictRunFromHelp-Begin -->
## RestrictRunFromHelp

165
windows/client-management/mdm/policy-csp-devicelock.md
View File

@ -1,7 +1,7 @@
---
title: DeviceLock Policy CSP
description: Learn more about the DeviceLock Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -711,7 +711,7 @@ This security setting determines the period of time (in days) that a password ca
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-999]` |
| Default Value | 1 |
| Default Value | 42 |
<!-- MaximumPasswordAge-DFProperties-End -->
<!-- MaximumPasswordAge-GpMapping-Begin -->
@ -1016,6 +1016,109 @@ This security setting determines the period of time (in days) that a password mu
<!-- MinimumPasswordAge-End -->
<!-- MinimumPasswordLength-Begin -->
## MinimumPasswordLength
<!-- MinimumPasswordLength-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- MinimumPasswordLength-Applicability-End -->
<!-- MinimumPasswordLength-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinimumPasswordLength
```
<!-- MinimumPasswordLength-OmaUri-End -->
<!-- MinimumPasswordLength-Description-Begin -->
<!-- Description-Source-DDF -->
This security setting determines the least number of characters that a password for a user account may contain. The maximum value for this setting depends on the value of the Relax minimum password length limits setting. If the Relax minimum password length limits setting isn't defined, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and disabled, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and enabled, this setting may be configured from 0 to 128. Setting the required number of characters to 0 means that no password is required.
> [!NOTE]
> By default, member computers follow the configuration of their domain controllers. Default values: 7 on domain controllers 0 on stand-alone servers Configuring this setting larger than 14 may affect compatibility with clients, services, and applications. We recommend that you only configure this setting larger than 14 after you use the Minimum password length audit setting to test for potential incompatibilities at the new setting.
<!-- MinimumPasswordLength-Description-End -->
<!-- MinimumPasswordLength-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- MinimumPasswordLength-Editable-End -->
<!-- MinimumPasswordLength-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-128]` |
| Default Value | 0 |
<!-- MinimumPasswordLength-DFProperties-End -->
<!-- MinimumPasswordLength-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Minimum password length |
| Path | Windows Settings > Security Settings > Account Policies > Password Policy |
<!-- MinimumPasswordLength-GpMapping-End -->
<!-- MinimumPasswordLength-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- MinimumPasswordLength-Examples-End -->
<!-- MinimumPasswordLength-End -->
<!-- MinimumPasswordLengthAudit-Begin -->
## MinimumPasswordLengthAudit
<!-- MinimumPasswordLengthAudit-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- MinimumPasswordLengthAudit-Applicability-End -->
<!-- MinimumPasswordLengthAudit-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinimumPasswordLengthAudit
```
<!-- MinimumPasswordLengthAudit-OmaUri-End -->
<!-- MinimumPasswordLengthAudit-Description-Begin -->
<!-- Description-Source-DDF -->
This security setting determines the minimum password length for which password length audit warning events are issued. This setting may be configured from 1 to 128. You should only enable and configure this setting when you try to determine the potential effect of increasing the minimum password length setting in your environment. If this setting isn't defined, audit events won't be issued. If this setting is defined and is less than or equal to the minimum password length setting, audit events won't be issued. If this setting is defined and is greater than the minimum password length setting, and the length of a new account password is less than this setting, an audit event will be issued.
<!-- MinimumPasswordLengthAudit-Description-End -->
<!-- MinimumPasswordLengthAudit-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- MinimumPasswordLengthAudit-Editable-End -->
<!-- MinimumPasswordLengthAudit-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[1-128]` |
| Default Value | 4294967295 |
<!-- MinimumPasswordLengthAudit-DFProperties-End -->
<!-- MinimumPasswordLengthAudit-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Minimum password length audit |
| Path | Windows Settings > Security Settings > Account Policies > Password Policy |
<!-- MinimumPasswordLengthAudit-GpMapping-End -->
<!-- MinimumPasswordLengthAudit-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- MinimumPasswordLengthAudit-Examples-End -->
<!-- MinimumPasswordLengthAudit-End -->
<!-- PasswordComplexity-Begin -->
## PasswordComplexity
@ -1248,6 +1351,64 @@ If you enable this setting, users will no longer be able to modify slide show se
<!-- PreventLockScreenSlideShow-End -->
<!-- RelaxMinimumPasswordLengthLimits-Begin -->
## RelaxMinimumPasswordLengthLimits
<!-- RelaxMinimumPasswordLengthLimits-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- RelaxMinimumPasswordLengthLimits-Applicability-End -->
<!-- RelaxMinimumPasswordLengthLimits-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/DeviceLock/RelaxMinimumPasswordLengthLimits
```
<!-- RelaxMinimumPasswordLengthLimits-OmaUri-End -->
<!-- RelaxMinimumPasswordLengthLimits-Description-Begin -->
<!-- Description-Source-DDF -->
This setting controls whether the minimum password length setting can be increased beyond the legacy limit of 14. If this setting isn't defined, minimum password length may be configured to no more than 14. If this setting is defined and disabled, minimum password length may be configured to no more than 14. If this setting is defined and enabled, minimum password length may be configured more than 14.
<!-- RelaxMinimumPasswordLengthLimits-Description-End -->
<!-- RelaxMinimumPasswordLengthLimits-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- RelaxMinimumPasswordLengthLimits-Editable-End -->
<!-- RelaxMinimumPasswordLengthLimits-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- RelaxMinimumPasswordLengthLimits-DFProperties-End -->
<!-- RelaxMinimumPasswordLengthLimits-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- RelaxMinimumPasswordLengthLimits-AllowedValues-End -->
<!-- RelaxMinimumPasswordLengthLimits-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Relax minimum password length |
| Path | Windows Settings > Security Settings > Account Policies > Password Policy |
<!-- RelaxMinimumPasswordLengthLimits-GpMapping-End -->
<!-- RelaxMinimumPasswordLengthLimits-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- RelaxMinimumPasswordLengthLimits-Examples-End -->
<!-- RelaxMinimumPasswordLengthLimits-End -->
<!-- ScreenTimeoutWhileLocked-Begin -->
## ScreenTimeoutWhileLocked

10
windows/client-management/mdm/policy-csp-kerberos.md
View File

@ -1,7 +1,7 @@
---
title: Kerberos Policy CSP
description: Learn more about the Kerberos Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -316,7 +316,7 @@ If you don't configure this policy, the SHA1 algorithm will assume the **Default
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfigurationEnabled` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> |
| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfiguration` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- PKInitHashAlgorithmSHA1-DFProperties-End -->
<!-- PKInitHashAlgorithmSHA1-AllowedValues-Begin -->
@ -389,7 +389,7 @@ If you don't configure this policy, the SHA256 algorithm will assume the **Defau
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfigurationEnabled` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> |
| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfiguration` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- PKInitHashAlgorithmSHA256-DFProperties-End -->
<!-- PKInitHashAlgorithmSHA256-AllowedValues-Begin -->
@ -462,7 +462,7 @@ If you don't configure this policy, the SHA384 algorithm will assume the **Defau
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfigurationEnabled` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> |
| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfiguration` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- PKInitHashAlgorithmSHA384-DFProperties-End -->
<!-- PKInitHashAlgorithmSHA384-AllowedValues-Begin -->
@ -535,7 +535,7 @@ If you don't configure this policy, the SHA512 algorithm will assume the **Defau
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfigurationEnabled` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> |
| Dependency [PKINIT_Hash_Algorithm_Configuration_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/Kerberos/PKInitHashAlgorithmConfiguration` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- PKInitHashAlgorithmSHA512-DFProperties-End -->
<!-- PKInitHashAlgorithmSHA512-AllowedValues-Begin -->

392
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -1,7 +1,7 @@
---
title: LocalPoliciesSecurityOptions Policy CSP
description: Learn more about the LocalPoliciesSecurityOptions Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -366,7 +366,7 @@ Accounts: Rename guest account This security setting determines whether a differ
<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Applicability-End -->
<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-OmaUri-Begin -->
@ -395,6 +395,7 @@ Audit: Audit the use of Backup and Restore privilege This security setting deter
| Format | `b64` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: ``) |
| Default Value | 00 |
<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-DFProperties-End -->
<!-- Audit_AuditTheUseOfBackupAndRestoreprivilege-Examples-Begin -->
@ -409,7 +410,7 @@ Audit: Audit the use of Backup and Restore privilege This security setting deter
<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-Applicability-End -->
<!-- Audit_ForceAuditPolicySubcategorySettingsToOverrideAuditPolicyCategorySettings-OmaUri-Begin -->
@ -450,7 +451,7 @@ Audit: Force audit policy subcategory settings (Windows Vista or later) to overr
<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-Applicability-End -->
<!-- Audit_ShutdownSystemImmediatelyIfUnableToLogSecurityAudits-OmaUri-Begin -->
@ -715,7 +716,7 @@ Devices: Restrict CD-ROM access to locally logged-on user only This security set
<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-Applicability-End -->
<!-- Devices_RestrictFloppyAccessToLocallyLoggedOnUserOnly-OmaUri-Begin -->
@ -764,7 +765,7 @@ Devices: Restrict floppy access to locally logged-on user only This security set
<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-Applicability-End -->
<!-- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways-OmaUri-Begin -->
@ -817,7 +818,7 @@ Domain member: Digitally encrypt or sign secure channel data (always) This secur
<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-Applicability-End -->
<!-- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible-OmaUri-Begin -->
@ -873,7 +874,7 @@ Domain member: Digitally encrypt secure channel data (when possible) This securi
<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-Applicability-End -->
<!-- DomainMember_DigitallySignSecureChannelDataWhenPossible-OmaUri-Begin -->
@ -923,7 +924,7 @@ Domain member: Digitally sign secure channel data (when possible) This security
<!-- DomainMember_DisableMachineAccountPasswordChanges-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- DomainMember_DisableMachineAccountPasswordChanges-Applicability-End -->
<!-- DomainMember_DisableMachineAccountPasswordChanges-OmaUri-Begin -->
@ -980,7 +981,7 @@ Domain member: Disable machine account password changes Determines whether a dom
<!-- DomainMember_MaximumMachineAccountPasswordAge-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- DomainMember_MaximumMachineAccountPasswordAge-Applicability-End -->
<!-- DomainMember_MaximumMachineAccountPasswordAge-OmaUri-Begin -->
@ -1033,7 +1034,7 @@ Domain member: Maximum machine account password age This security setting determ
<!-- DomainMember_RequireStrongSessionKey-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- DomainMember_RequireStrongSessionKey-Applicability-End -->
<!-- DomainMember_RequireStrongSessionKey-OmaUri-Begin -->
@ -1318,31 +1319,31 @@ Interactive logon: Don't require CTRL+ALT+DEL This security setting determines w
<!-- InteractiveLogon_DoNotRequireCTRLALTDEL-End -->
<!-- InteractiveLogon_MachineAccountThreshold-Begin -->
## InteractiveLogon_MachineAccountThreshold
<!-- InteractiveLogon_MachineAccountLockoutThreshold-Begin -->
## InteractiveLogon_MachineAccountLockoutThreshold
<!-- InteractiveLogon_MachineAccountThreshold-Applicability-Begin -->
<!-- InteractiveLogon_MachineAccountLockoutThreshold-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
<!-- InteractiveLogon_MachineAccountThreshold-Applicability-End -->
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- InteractiveLogon_MachineAccountLockoutThreshold-Applicability-End -->
<!-- InteractiveLogon_MachineAccountThreshold-OmaUri-Begin -->
<!-- InteractiveLogon_MachineAccountLockoutThreshold-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_MachineAccountThreshold
./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_MachineAccountLockoutThreshold
```
<!-- InteractiveLogon_MachineAccountThreshold-OmaUri-End -->
<!-- InteractiveLogon_MachineAccountLockoutThreshold-OmaUri-End -->
<!-- InteractiveLogon_MachineAccountThreshold-Description-Begin -->
<!-- InteractiveLogon_MachineAccountLockoutThreshold-Description-Begin -->
<!-- Description-Source-DDF -->
Interactive logon: Machine account threshold. The machine lockout policy is enforced only on those machines that have BitLocker enabled for protecting OS volumes. Please ensure that appropriate recovery password backup policies are enabled. This security setting determines the number of failed logon attempts that causes the machine to be locked out. A locked out machine can only be recovered by providing recovery key at console. You can set the value between 1 and 999 failed logon attempts. If you set the value to 0, the machine will never be locked out. Values from 1 to 3 will be interpreted as 4. Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password protected screen savers counts as failed logon attempts. The machine lockout policy is enforced only on those machines that have BitLocker enabled for protecting OS volumes. Please ensure that the appropriate recovery password backup policies are enabled. Default: 0.
<!-- InteractiveLogon_MachineAccountThreshold-Description-End -->
<!-- InteractiveLogon_MachineAccountLockoutThreshold-Description-End -->
<!-- InteractiveLogon_MachineAccountThreshold-Editable-Begin -->
<!-- InteractiveLogon_MachineAccountLockoutThreshold-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- InteractiveLogon_MachineAccountThreshold-Editable-End -->
<!-- InteractiveLogon_MachineAccountLockoutThreshold-Editable-End -->
<!-- InteractiveLogon_MachineAccountThreshold-DFProperties-Begin -->
<!-- InteractiveLogon_MachineAccountLockoutThreshold-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
@ -1351,22 +1352,22 @@ Interactive logon: Machine account threshold. The machine lockout policy is enfo
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-999]` |
| Default Value | 0 |
<!-- InteractiveLogon_MachineAccountThreshold-DFProperties-End -->
<!-- InteractiveLogon_MachineAccountLockoutThreshold-DFProperties-End -->
<!-- InteractiveLogon_MachineAccountThreshold-GpMapping-Begin -->
<!-- InteractiveLogon_MachineAccountLockoutThreshold-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Interactive logon: Machine account lockout threshold |
| Path | Windows Settings > Security Settings > Local Policies > Security Options |
<!-- InteractiveLogon_MachineAccountThreshold-GpMapping-End -->
<!-- InteractiveLogon_MachineAccountLockoutThreshold-GpMapping-End -->
<!-- InteractiveLogon_MachineAccountThreshold-Examples-Begin -->
<!-- InteractiveLogon_MachineAccountLockoutThreshold-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- InteractiveLogon_MachineAccountThreshold-Examples-End -->
<!-- InteractiveLogon_MachineAccountLockoutThreshold-Examples-End -->
<!-- InteractiveLogon_MachineAccountThreshold-End -->
<!-- InteractiveLogon_MachineAccountLockoutThreshold-End -->
<!-- InteractiveLogon_MachineInactivityLimit-Begin -->
## InteractiveLogon_MachineInactivityLimit
@ -1524,7 +1525,7 @@ Interactive logon: Message title for users attempting to log on This security se
<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Applicability-End -->
<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-OmaUri-Begin -->
@ -1564,7 +1565,7 @@ Interactive logon: Number of previous logons to cache (in case domain controller
<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-Applicability-End -->
<!-- InteractiveLogon_PromptUserToChangePasswordBeforeExpiration-OmaUri-Begin -->
@ -1859,7 +1860,7 @@ Microsoft network client: Send unencrypted password to connect to third-party SM
<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-Applicability-End -->
<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-OmaUri-Begin -->
@ -1884,8 +1885,8 @@ Microsoft network server: Amount of idle time required before suspending a sessi
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-15]` |
| Default Value | 15 |
| Allowed Values | Range: `[0-99999]` |
| Default Value | 99999 |
<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-DFProperties-End -->
<!-- MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession-GpMapping-Begin -->
@ -2042,7 +2043,7 @@ Microsoft network server: Digitally sign communications (if client agrees) This
<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-Applicability-End -->
<!-- MicrosoftNetworkServer_DisconnectClientsWhenLogonHoursExpire-OmaUri-Begin -->
@ -2083,7 +2084,7 @@ Microsoft network server: Disconnect clients when logon hours expire This securi
<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-Applicability-End -->
<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-OmaUri-Begin -->
@ -2118,109 +2119,6 @@ Microsoft network server: Server SPN target name validation level This policy se
<!-- MicrosoftNetworkServer_ServerSPNTargetNameValidationLevel-End -->
<!-- MinimumPasswordLength-Begin -->
## MinimumPasswordLength
<!-- MinimumPasswordLength-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- MinimumPasswordLength-Applicability-End -->
<!-- MinimumPasswordLength-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/MinimumPasswordLength
```
<!-- MinimumPasswordLength-OmaUri-End -->
<!-- MinimumPasswordLength-Description-Begin -->
<!-- Description-Source-DDF -->
This security setting determines the least number of characters that a password for a user account may contain. The maximum value for this setting depends on the value of the Relax minimum password length limits setting. If the Relax minimum password length limits setting isn't defined, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and disabled, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and enabled, this setting may be configured from 0 to 128. Setting the required number of characters to 0 means that no password is required.
> [!NOTE]
> By default, member computers follow the configuration of their domain controllers. Default values: 7 on domain controllers 0 on stand-alone servers Configuring this setting larger than 14 may affect compatibility with clients, services, and applications. We recommend that you only configure this setting larger than 14 after you use the Minimum password length audit setting to test for potential incompatibilities at the new setting.
<!-- MinimumPasswordLength-Description-End -->
<!-- MinimumPasswordLength-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- MinimumPasswordLength-Editable-End -->
<!-- MinimumPasswordLength-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-128]` |
| Default Value | 0 |
<!-- MinimumPasswordLength-DFProperties-End -->
<!-- MinimumPasswordLength-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Minimum password length |
| Path | Windows Settings > Security Settings > Account Policies > Password Policy |
<!-- MinimumPasswordLength-GpMapping-End -->
<!-- MinimumPasswordLength-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- MinimumPasswordLength-Examples-End -->
<!-- MinimumPasswordLength-End -->
<!-- MinimumPasswordLengthAudit-Begin -->
## MinimumPasswordLengthAudit
<!-- MinimumPasswordLengthAudit-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- MinimumPasswordLengthAudit-Applicability-End -->
<!-- MinimumPasswordLengthAudit-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/MinimumPasswordLengthAudit
```
<!-- MinimumPasswordLengthAudit-OmaUri-End -->
<!-- MinimumPasswordLengthAudit-Description-Begin -->
<!-- Description-Source-DDF -->
This security setting determines the minimum password length for which password length audit warning events are issued. This setting may be configured from 1 to 128. You should only enable and configure this setting when you try to determine the potential effect of increasing the minimum password length setting in your environment. If this setting isn't defined, audit events won't be issued. If this setting is defined and is less than or equal to the minimum password length setting, audit events won't be issued. If this setting is defined and is greater than the minimum password length setting, and the length of a new account password is less than this setting, an audit event will be issued.
<!-- MinimumPasswordLengthAudit-Description-End -->
<!-- MinimumPasswordLengthAudit-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- MinimumPasswordLengthAudit-Editable-End -->
<!-- MinimumPasswordLengthAudit-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[1-128]` |
| Default Value | 4294967295 |
<!-- MinimumPasswordLengthAudit-DFProperties-End -->
<!-- MinimumPasswordLengthAudit-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Minimum password length audit |
| Path | Windows Settings > Security Settings > Account Policies > Password Policy |
<!-- MinimumPasswordLengthAudit-GpMapping-End -->
<!-- MinimumPasswordLengthAudit-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- MinimumPasswordLengthAudit-Examples-End -->
<!-- MinimumPasswordLengthAudit-End -->
<!-- NetworkAccess_AllowAnonymousSIDOrNameTranslation-Begin -->
## NetworkAccess_AllowAnonymousSIDOrNameTranslation
@ -2408,7 +2306,7 @@ Network access: Don't allow anonymous enumeration of SAM accounts and shares Thi
<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-Applicability-End -->
<!-- NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication-OmaUri-Begin -->
@ -2456,7 +2354,7 @@ Network access: Don't allow storage of passwords and credentials for network aut
<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-Applicability-End -->
<!-- NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers-OmaUri-Begin -->
@ -2506,7 +2404,7 @@ Network access: Let Everyone permissions apply to anonymous users This security
<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Applicability-End -->
<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-OmaUri-Begin -->
@ -2531,6 +2429,7 @@ Network access: Named pipes that can be accessed anonymously This security setti
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `,`) |
<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-DFProperties-End -->
<!-- NetworkAccess_NamedPipesThatCanBeAccessedAnonymously-Examples-Begin -->
@ -2545,7 +2444,7 @@ Network access: Named pipes that can be accessed anonymously This security setti
<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Applicability-End -->
<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-OmaUri-Begin -->
@ -2573,6 +2472,7 @@ Network access: Remotely accessible registry paths This security setting determi
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `,`) |
<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-DFProperties-End -->
<!-- NetworkAccess_RemotelyAccessibleRegistryPaths-Examples-Begin -->
@ -2587,7 +2487,7 @@ Network access: Remotely accessible registry paths This security setting determi
<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Applicability-End -->
<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-OmaUri-Begin -->
@ -2615,6 +2515,7 @@ Network access: Remotely accessible registry paths and subpaths This security se
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `,`) |
<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-DFProperties-End -->
<!-- NetworkAccess_RemotelyAccessibleRegistryPathsAndSubpaths-Examples-Begin -->
@ -2735,7 +2636,7 @@ Network access: Restrict clients allowed to make remote calls to SAM This policy
<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Applicability-End -->
<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-OmaUri-Begin -->
@ -2760,6 +2661,7 @@ Network access: Shares that can be accessed anonymously This security setting de
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: `,`) |
<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-DFProperties-End -->
<!-- NetworkAccess_SharesThatCanBeAccessedAnonymously-Examples-Begin -->
@ -2774,7 +2676,7 @@ Network access: Shares that can be accessed anonymously This security setting de
<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-Applicability-End -->
<!-- NetworkAccess_SharingAndSecurityModelForLocalAccounts-OmaUri-Begin -->
@ -2818,7 +2720,7 @@ Network access: Sharing and security model for local accounts This security sett
<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-Applicability-End -->
<!-- NetworkSecurity_AllowLocalSystemNULLSessionFallback-OmaUri-Begin -->
@ -3076,7 +2978,7 @@ Network security: Force logoff when logon hours expire This security setting det
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
| Default Value | 1 |
<!-- NetworkSecurity_ForceLogoffWhenLogonHoursExpire-DFProperties-End -->
<!-- NetworkSecurity_ForceLogoffWhenLogonHoursExpire-AllowedValues-Begin -->
@ -3084,8 +2986,8 @@ Network security: Force logoff when logon hours expire This security setting det
| Value | Description |
|:--|:--|
| 1 | Enable. |
| 0 (Default) | Disable. |
| 1 (Default) | Enable. |
| 0 | Disable. |
<!-- NetworkSecurity_ForceLogoffWhenLogonHoursExpire-AllowedValues-End -->
<!-- NetworkSecurity_ForceLogoffWhenLogonHoursExpire-GpMapping-Begin -->
@ -3174,7 +3076,7 @@ Network security LAN Manager authentication level This security setting determin
<!-- NetworkSecurity_LDAPClientSigningRequirements-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- NetworkSecurity_LDAPClientSigningRequirements-Applicability-End -->
<!-- NetworkSecurity_LDAPClientSigningRequirements-OmaUri-Begin -->
@ -3206,7 +3108,7 @@ Network security: LDAP client signing requirements This security setting determi
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-2]` |
| Default Value | 0 |
| Default Value | 1 |
<!-- NetworkSecurity_LDAPClientSigningRequirements-DFProperties-End -->
<!-- NetworkSecurity_LDAPClientSigningRequirements-Examples-Begin -->
@ -3580,7 +3482,7 @@ Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers This po
<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-Applicability-End -->
<!-- RecoveryConsole_AllowAutomaticAdministrativeLogon-OmaUri-Begin -->
@ -3630,7 +3532,7 @@ Recovery console: Allow automatic administrative logon This security setting det
<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-Applicability-End -->
<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-OmaUri-Begin -->
@ -3665,64 +3567,6 @@ Recovery console: Allow floppy copy and access to all drives and all folders Ena
<!-- RecoveryConsole_AllowFloppyCopyAndAccessToAllDrivesAndAllFolders-End -->
<!-- RelaxMinimumPasswordLengthLimits-Begin -->
## RelaxMinimumPasswordLengthLimits
<!-- RelaxMinimumPasswordLengthLimits-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- RelaxMinimumPasswordLengthLimits-Applicability-End -->
<!-- RelaxMinimumPasswordLengthLimits-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/RelaxMinimumPasswordLengthLimits
```
<!-- RelaxMinimumPasswordLengthLimits-OmaUri-End -->
<!-- RelaxMinimumPasswordLengthLimits-Description-Begin -->
<!-- Description-Source-DDF -->
This setting controls whether the minimum password length setting can be increased beyond the legacy limit of 14. If this setting isn't defined, minimum password length may be configured to no more than 14. If this setting is defined and disabled, minimum password length may be configured to no more than 14. If this setting is defined and enabled, minimum password length may be configured more than 14.
<!-- RelaxMinimumPasswordLengthLimits-Description-End -->
<!-- RelaxMinimumPasswordLengthLimits-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- RelaxMinimumPasswordLengthLimits-Editable-End -->
<!-- RelaxMinimumPasswordLengthLimits-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- RelaxMinimumPasswordLengthLimits-DFProperties-End -->
<!-- RelaxMinimumPasswordLengthLimits-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled. |
| 1 | Enabled. |
<!-- RelaxMinimumPasswordLengthLimits-AllowedValues-End -->
<!-- RelaxMinimumPasswordLengthLimits-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | Relax minimum password length |
| Path | Windows Settings > Security Settings > Account Policies > Password Policy |
<!-- RelaxMinimumPasswordLengthLimits-GpMapping-End -->
<!-- RelaxMinimumPasswordLengthLimits-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- RelaxMinimumPasswordLengthLimits-Examples-End -->
<!-- RelaxMinimumPasswordLengthLimits-End -->
<!-- Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn-Begin -->
## Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
@ -3845,7 +3689,7 @@ Shutdown: Clear virtual memory pagefile This security setting determines whether
<!-- SystemCryptography_ForceStrongKeyProtection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- SystemCryptography_ForceStrongKeyProtection-Applicability-End -->
<!-- SystemCryptography_ForceStrongKeyProtection-OmaUri-Begin -->
@ -3886,7 +3730,7 @@ System Cryptography: Force strong key protection for user keys stored on the com
<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-Applicability-End -->
<!-- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems-OmaUri-Begin -->
@ -3936,7 +3780,7 @@ System objects: Require case insensitivity for non-Windows subsystems This secur
<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-Applicability-End -->
<!-- SystemObjects_StrengthenDefaultPermissionsOfInternalSystemObjects-OmaUri-Begin -->
@ -4094,6 +3938,64 @@ User Account Control: Behavior of the elevation prompt for administrators in Adm
<!-- UserAccountControl_BehaviorOfTheElevationPromptForAdministrators-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-Begin -->
## UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-Applicability-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators
```
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-OmaUri-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-Description-Begin -->
<!-- Description-Source-DDF -->
User Account Control: Behavior of the elevation prompt for administrators running with enhanced privilege protection. This policy setting controls the behavior of the elevation prompt for administrators. The options are: - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. - Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-Description-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-Editable-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 2 |
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-DFProperties-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 1 | Prompt for credentials on the secure desktop. |
| 2 (Default) | Prompt for consent on the secure desktop. |
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-AllowedValues-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | User Account Control: Behavior of the elevation prompt for administrators running with enhanced privilege protection |
| Path | Windows Settings > Security Settings > Local Policies > Security Options |
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-GpMapping-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-Examples-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForEnhancedAdministrators-End -->
<!-- UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers-Begin -->
## UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
@ -4446,6 +4348,64 @@ User Account Control: Switch to the secure desktop when prompting for elevation
<!-- UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation-End -->
<!-- UserAccountControl_TypeOfAdminApprovalMode-Begin -->
## UserAccountControl_TypeOfAdminApprovalMode
<!-- UserAccountControl_TypeOfAdminApprovalMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- UserAccountControl_TypeOfAdminApprovalMode-Applicability-End -->
<!-- UserAccountControl_TypeOfAdminApprovalMode-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/UserAccountControl_TypeOfAdminApprovalMode
```
<!-- UserAccountControl_TypeOfAdminApprovalMode-OmaUri-End -->
<!-- UserAccountControl_TypeOfAdminApprovalMode-Description-Begin -->
<!-- Description-Source-DDF -->
User Account Control: Configure type of Admin Approval Mode. This policy setting controls whether enhanced privilege protection is applied to admin approval mode elevations. If you change this policy setting, you must restart your computer. This policy is only supported on Windows Desktop, not Server. The options are: - Admin Approval Mode is running in legacy mode (default). - Admin Approval Mode is running with enhanced privilege protection.
<!-- UserAccountControl_TypeOfAdminApprovalMode-Description-End -->
<!-- UserAccountControl_TypeOfAdminApprovalMode-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- UserAccountControl_TypeOfAdminApprovalMode-Editable-End -->
<!-- UserAccountControl_TypeOfAdminApprovalMode-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- UserAccountControl_TypeOfAdminApprovalMode-DFProperties-End -->
<!-- UserAccountControl_TypeOfAdminApprovalMode-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 1 (Default) | Legacy Admin Approval Mode. |
| 2 | Admin Approval Mode with enhanced privilege protection. |
<!-- UserAccountControl_TypeOfAdminApprovalMode-AllowedValues-End -->
<!-- UserAccountControl_TypeOfAdminApprovalMode-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | User Account Control: Configure type of Admin Approval Mode |
| Path | Windows Settings > Security Settings > Local Policies > Security Options |
<!-- UserAccountControl_TypeOfAdminApprovalMode-GpMapping-End -->
<!-- UserAccountControl_TypeOfAdminApprovalMode-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- UserAccountControl_TypeOfAdminApprovalMode-Examples-End -->
<!-- UserAccountControl_TypeOfAdminApprovalMode-End -->
<!-- UserAccountControl_UseAdminApprovalMode-Begin -->
## UserAccountControl_UseAdminApprovalMode

105
windows/client-management/mdm/policy-csp-mixedreality.md
View File

@ -1,7 +1,7 @@
---
title: MixedReality Policy CSP
description: Learn more about the MixedReality Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -321,6 +321,97 @@ This policy setting controls if pressing the brightness button changes the brigh
<!-- BrightnessButtonDisabled-End -->
<!-- ConfigureDeviceStandbyAction-Begin -->
## ConfigureDeviceStandbyAction
<!-- ConfigureDeviceStandbyAction-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ConfigureDeviceStandbyAction-Applicability-End -->
<!-- ConfigureDeviceStandbyAction-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/MixedReality/ConfigureDeviceStandbyAction
```
<!-- ConfigureDeviceStandbyAction-OmaUri-End -->
<!-- ConfigureDeviceStandbyAction-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting controls device maintenance action during standby.
<!-- ConfigureDeviceStandbyAction-Description-End -->
<!-- ConfigureDeviceStandbyAction-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureDeviceStandbyAction-Editable-End -->
<!-- ConfigureDeviceStandbyAction-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ConfigureDeviceStandbyAction-DFProperties-End -->
<!-- ConfigureDeviceStandbyAction-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Not configured. |
| 1 | Logoff users. |
| 2 | Reboot device. |
<!-- ConfigureDeviceStandbyAction-AllowedValues-End -->
<!-- ConfigureDeviceStandbyAction-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureDeviceStandbyAction-Examples-End -->
<!-- ConfigureDeviceStandbyAction-End -->
<!-- ConfigureDeviceStandbyActionTimeout-Begin -->
## ConfigureDeviceStandbyActionTimeout
<!-- ConfigureDeviceStandbyActionTimeout-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ConfigureDeviceStandbyActionTimeout-Applicability-End -->
<!-- ConfigureDeviceStandbyActionTimeout-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/MixedReality/ConfigureDeviceStandbyActionTimeout
```
<!-- ConfigureDeviceStandbyActionTimeout-OmaUri-End -->
<!-- ConfigureDeviceStandbyActionTimeout-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting controls when to start maintenance action after device enters standby. The timeout value is in hours.
<!-- ConfigureDeviceStandbyActionTimeout-Description-End -->
<!-- ConfigureDeviceStandbyActionTimeout-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureDeviceStandbyActionTimeout-Editable-End -->
<!-- ConfigureDeviceStandbyActionTimeout-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[1-168]` |
| Default Value | 8 |
<!-- ConfigureDeviceStandbyActionTimeout-DFProperties-End -->
<!-- ConfigureDeviceStandbyActionTimeout-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureDeviceStandbyActionTimeout-Examples-End -->
<!-- ConfigureDeviceStandbyActionTimeout-End -->
<!-- ConfigureMovingPlatform-Begin -->
## ConfigureMovingPlatform
@ -643,7 +734,7 @@ Windows Network Connectivity Status Indicator may get a false positive internet-
<!-- EnableStartMenuSingleHandGesture-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- EnableStartMenuSingleHandGesture-Applicability-End -->
<!-- EnableStartMenuSingleHandGesture-OmaUri-Begin -->
@ -692,7 +783,7 @@ This policy setting controls if pinching your thumb and index finger, while look
<!-- EnableStartMenuVoiceCommand-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- EnableStartMenuVoiceCommand-Applicability-End -->
<!-- EnableStartMenuVoiceCommand-OmaUri-Begin -->
@ -741,7 +832,7 @@ This policy setting controls if using voice commands to open the Start menu is e
<!-- EnableStartMenuWristTap-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- EnableStartMenuWristTap-Applicability-End -->
<!-- EnableStartMenuWristTap-OmaUri-Begin -->
@ -1104,7 +1195,7 @@ The following example XML string shows the value to enable this policy:
<!-- PreferLogonAsOtherUser-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- PreferLogonAsOtherUser-Applicability-End -->
<!-- PreferLogonAsOtherUser-OmaUri-Begin -->
@ -1153,7 +1244,7 @@ This policy configures whether the Sign-In App should prefer showing Other User
<!-- RequireStartIconHold-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- RequireStartIconHold-Applicability-End -->
<!-- RequireStartIconHold-OmaUri-Begin -->
@ -1202,7 +1293,7 @@ This policy setting controls if it's require that the Start icon to be pressed f
<!-- RequireStartIconVisible-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- RequireStartIconVisible-Applicability-End -->
<!-- RequireStartIconVisible-OmaUri-Begin -->

6
windows/client-management/mdm/policy-csp-mssecurityguide.md
View File

@ -1,7 +1,7 @@
---
title: MSSecurityGuide Policy CSP
description: Learn more about the MSSecurityGuide Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -11,6 +11,8 @@ ms.date: 01/18/2024
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- MSSecurityGuide-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- MSSecurityGuide-Editable-End -->
@ -221,7 +223,7 @@ ms.date: 01/18/2024
<!-- NetBTNodeTypeConfiguration-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- NetBTNodeTypeConfiguration-Applicability-End -->
<!-- NetBTNodeTypeConfiguration-OmaUri-Begin -->

16
windows/client-management/mdm/policy-csp-networklistmanager.md
View File

@ -1,7 +1,7 @@
---
title: NetworkListManager Policy CSP
description: Learn more about the NetworkListManager Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,6 +9,8 @@ ms.date: 01/18/2024
<!-- NetworkListManager-Begin -->
# Policy CSP - NetworkListManager
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- NetworkListManager-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- NetworkListManager-Editable-End -->
@ -19,7 +21,7 @@ ms.date: 01/18/2024
<!-- AllNetworks_NetworkIcon-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- AllNetworks_NetworkIcon-Applicability-End -->
<!-- AllNetworks_NetworkIcon-OmaUri-Begin -->
@ -68,7 +70,7 @@ This policy setting allows you to specify whether users can change the network i
<!-- AllNetworks_NetworkLocation-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- AllNetworks_NetworkLocation-Applicability-End -->
<!-- AllNetworks_NetworkLocation-OmaUri-Begin -->
@ -117,7 +119,7 @@ This policy setting allows you to specify whether users can change the network l
<!-- AllNetworks_NetworkName-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- AllNetworks_NetworkName-Applicability-End -->
<!-- AllNetworks_NetworkName-OmaUri-Begin -->
@ -260,7 +262,7 @@ This policy setting provides the string that names a network. If this setting is
<!-- IdentifyingNetworks_LocationType-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- IdentifyingNetworks_LocationType-Applicability-End -->
<!-- IdentifyingNetworks_LocationType-OmaUri-Begin -->
@ -309,7 +311,7 @@ This policy setting allows you to configure the Network Location for networks th
<!-- UnidentifiedNetworks_LocationType-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- UnidentifiedNetworks_LocationType-Applicability-End -->
<!-- UnidentifiedNetworks_LocationType-OmaUri-Begin -->
@ -358,7 +360,7 @@ This policy setting allows you to configure the Network Location type for networ
<!-- UnidentifiedNetworks_UserPermissions-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- UnidentifiedNetworks_UserPermissions-Applicability-End -->
<!-- UnidentifiedNetworks_UserPermissions-OmaUri-Begin -->

52
windows/client-management/mdm/policy-csp-printers.md
View File

@ -1,7 +1,7 @@
---
title: Printers Policy CSP
description: Learn more about the Printers Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -669,6 +669,56 @@ If you disable or don't configure this policy setting, dynamic TCP ports are use
<!-- ConfigureRpcTcpPort-End -->
<!-- ConfigureWindowsProtectedPrint-Begin -->
## ConfigureWindowsProtectedPrint
<!-- ConfigureWindowsProtectedPrint-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- ConfigureWindowsProtectedPrint-Applicability-End -->
<!-- ConfigureWindowsProtectedPrint-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureWindowsProtectedPrint
```
<!-- ConfigureWindowsProtectedPrint-OmaUri-End -->
<!-- ConfigureWindowsProtectedPrint-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- ConfigureWindowsProtectedPrint-Description-End -->
<!-- ConfigureWindowsProtectedPrint-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureWindowsProtectedPrint-Editable-End -->
<!-- ConfigureWindowsProtectedPrint-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- ConfigureWindowsProtectedPrint-DFProperties-End -->
<!-- ConfigureWindowsProtectedPrint-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | ConfigureWindowsProtectedPrint |
| ADMX File Name | Printing.admx |
<!-- ConfigureWindowsProtectedPrint-AdmxBacked-End -->
<!-- ConfigureWindowsProtectedPrint-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureWindowsProtectedPrint-Examples-End -->
<!-- ConfigureWindowsProtectedPrint-End -->
<!-- EnableDeviceControl-Begin -->
## EnableDeviceControl

4
windows/client-management/mdm/policy-csp-search.md
View File

@ -1,7 +1,7 @@
---
title: Search Policy CSP
description: Learn more about the Search Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -286,7 +286,7 @@ The most restrictive value is `0` to not allow indexing of encrypted items.
<!-- AllowSearchHighlights-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2009 [10.0.19042.1620] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.1620] and later <br> ✅ Windows 10, version 21H2 [10.0.19044.1620] and later <br> ✅ Windows 11, version 21H2 [10.0.22000.1761] and later <br> ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- AllowSearchHighlights-Applicability-End -->
<!-- AllowSearchHighlights-OmaUri-Begin -->

4
windows/client-management/mdm/policy-csp-smartscreen.md
View File

@ -1,7 +1,7 @@
---
title: SmartScreen Policy CSP
description: Learn more about the SmartScreen Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -70,6 +70,8 @@ App Install Control is a feature of Windows Defender SmartScreen that helps prot
|:--|:--|
| 0 (Default) | Turns off Application Installation Control, allowing users to download and install files from anywhere on the web. |
| 1 | Turns on Application Installation Control, allowing users to only install apps from the Store. |
| 2 | Turns on Application Installation Control, letting users know that there's a comparable app in the Store. |
| 3 | Turns on Application Installation Control, warning users before installing apps from outside the Store. |
<!-- EnableAppInstallControl-AllowedValues-End -->
<!-- EnableAppInstallControl-GpMapping-Begin -->

78
windows/client-management/mdm/policy-csp-sudo.md Normal file
View File

@ -0,0 +1,78 @@
---
title: Sudo Policy CSP
description: Learn more about the Sudo Area in Policy CSP.
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
<!-- Sudo-Begin -->
# Policy CSP - Sudo
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Sudo-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Sudo-Editable-End -->
<!-- EnableSudo-Begin -->
## EnableSudo
<!-- EnableSudo-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- EnableSudo-Applicability-End -->
<!-- EnableSudo-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Sudo/EnableSudo
```
<!-- EnableSudo-OmaUri-End -->
<!-- EnableSudo-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- EnableSudo-Description-End -->
<!-- EnableSudo-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableSudo-Editable-End -->
<!-- EnableSudo-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- EnableSudo-DFProperties-End -->
<!-- EnableSudo-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | EnableSudo |
| ADMX File Name | Sudo.admx |
<!-- EnableSudo-AdmxBacked-End -->
<!-- EnableSudo-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableSudo-Examples-End -->
<!-- EnableSudo-End -->
<!-- Sudo-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- Sudo-CspMoreInfo-End -->
<!-- Sudo-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

8
windows/client-management/mdm/policy-csp-update.md
View File

@ -1,7 +1,7 @@
---
title: Update Policy CSP
description: Learn more about the Update Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -275,7 +275,7 @@ Allows the IT admin to manage whether Automatic Updates accepts updates signed b
<!-- AllowOptionalContent-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 21H2 [10.0.19044.3757] and later |
<!-- AllowOptionalContent-Applicability-End -->
<!-- AllowOptionalContent-OmaUri-Begin -->
@ -2428,7 +2428,7 @@ Number of days before feature updates are installed on devices automatically reg
<!-- ConfigureDeadlineForFeatureUpdates-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
>
>
> - After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule.
> - When this policy is used, the download, installation, and reboot settings from [Update/AllowAutoUpdate](#allowautoupdate) are ignored.
<!-- ConfigureDeadlineForFeatureUpdates-Editable-End -->
@ -2487,7 +2487,7 @@ Number of days before quality updates are installed on devices automatically reg
<!-- ConfigureDeadlineForQualityUpdates-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
>
>
> - After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule.
> - When this policy is used, the download, installation, and reboot settings from [Update/AllowAutoUpdate](#allowautoupdate) are ignored.
<!-- ConfigureDeadlineForQualityUpdates-Editable-End -->

6
windows/client-management/mdm/policy-csp-webthreatdefense.md
View File

@ -1,7 +1,7 @@
---
title: WebThreatDefense Policy CSP
description: Learn more about the WebThreatDefense Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,6 +9,8 @@ ms.date: 01/18/2024
<!-- WebThreatDefense-Begin -->
# Policy CSP - WebThreatDefense
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- WebThreatDefense-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
@ -21,7 +23,7 @@ ms.date: 01/18/2024
<!-- AutomaticDataCollection-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 23H2 [10.0.22631] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- AutomaticDataCollection-Applicability-End -->
<!-- AutomaticDataCollection-OmaUri-Begin -->

8
windows/client-management/mdm/policy-csp-wifi.md
View File

@ -1,7 +1,7 @@
---
title: Wifi Policy CSP
description: Learn more about the Wifi Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,6 +9,8 @@ ms.date: 01/18/2024
<!-- Wifi-Begin -->
# Policy CSP - Wifi
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Wifi-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Wifi-Editable-End -->
@ -227,7 +229,7 @@ Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks.
<!-- AllowWFAQosManagementDSCPToUPMapping-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- AllowWFAQosManagementDSCPToUPMapping-Applicability-End -->
<!-- AllowWFAQosManagementDSCPToUPMapping-OmaUri-Begin -->
@ -277,7 +279,7 @@ Allow or disallow the device to use the DSCP to UP Mapping feature from the Wi-F
<!-- AllowWFAQosManagementMSCS-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | <!-- Not-Found --> |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- AllowWFAQosManagementMSCS-Applicability-End -->
<!-- AllowWFAQosManagementMSCS-OmaUri-Begin -->

68
windows/client-management/mdm/policy-csp-windowsai.md
View File

@ -1,7 +1,7 @@
---
title: WindowsAI Policy CSP
description: Learn more about the WindowsAI Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 01/31/2024
---
<!-- Auto-Generated CSP Document -->
@ -9,17 +9,81 @@ ms.date: 01/18/2024
<!-- WindowsAI-Begin -->
# Policy CSP - WindowsAI
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- WindowsAI-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- WindowsAI-Editable-End -->
<!-- DisableAIDataAnalysis-Begin -->
## DisableAIDataAnalysis
<!-- DisableAIDataAnalysis-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
<!-- DisableAIDataAnalysis-Applicability-End -->
<!-- DisableAIDataAnalysis-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/WindowsAI/DisableAIDataAnalysis
```
<!-- DisableAIDataAnalysis-OmaUri-End -->
<!-- DisableAIDataAnalysis-Description-Begin -->
<!-- Description-Source-DDF -->
This policy setting allows you to prevent Windows AI from using and analyzing user patterns and data.
- If you enable this policy setting, Windows AI won't be able to take advantage of historical user patterns.
- If you disable or don't configure this policy setting, Windows AI will be able to assist users by considering their historical behaviors and data.
<!-- DisableAIDataAnalysis-Description-End -->
<!-- DisableAIDataAnalysis-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DisableAIDataAnalysis-Editable-End -->
<!-- DisableAIDataAnalysis-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- DisableAIDataAnalysis-DFProperties-End -->
<!-- DisableAIDataAnalysis-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Enable Data Analysis for Windows AI. |
| 1 | Disable Data Analysis for Windows AI. |
<!-- DisableAIDataAnalysis-AllowedValues-End -->
<!-- DisableAIDataAnalysis-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | DisableAIDataAnalysis |
| Path | WindowsAI > AT > WindowsComponents > WindowsAI |
<!-- DisableAIDataAnalysis-GpMapping-End -->
<!-- DisableAIDataAnalysis-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- DisableAIDataAnalysis-Examples-End -->
<!-- DisableAIDataAnalysis-End -->
<!-- TurnOffWindowsCopilot-Begin -->
## TurnOffWindowsCopilot
<!-- TurnOffWindowsCopilot-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 22H2 [10.0.19045.3758] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.2361] and later <br> ✅ Windows 11, version 23H2 [10.0.22631] and later |
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 21H2 [10.0.19044.3758] and later <br> ✅ Windows 10, version 22H2 [10.0.19045.3758] and later <br> ✅ Windows 11, version 22H2 [10.0.22621.2361] and later <br> ✅ Windows 11, version 23H2 [10.0.22631] and later |
<!-- TurnOffWindowsCopilot-Applicability-End -->
<!-- TurnOffWindowsCopilot-OmaUri-Begin -->

2
windows/client-management/mdm/toc.yml
View File

@ -537,6 +537,8 @@ items:
href: policy-csp-stickers.md
- name: Storage
href: policy-csp-storage.md
- name: Sudo
href: policy-csp-sudo.md
- name: System
href: policy-csp-system.md
- name: SystemServices

27
windows/configuration/cortana-at-work/cortana-at-work-feedback.md
View File

@ -1,27 +0,0 @@
---
title: Send feedback about Cortana at work back to Microsoft
description: Learn how to send feedback to Microsoft about Cortana at work so you can provide more information to help diagnose reported issues.
ms.prod: windows-client
ms.collection: tier3
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
ms.date: 10/05/2017
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
---
# Send feedback about Cortana back to Microsoft
<!--Using include for Cortana in Windows deprecation -->
[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
To provide feedback on an individual request or response, select the item in the conversation history and then select **Give feedback**. The Feedback Hub application is launched, where you can provide more information to help diagnose reported issues.
:::image type="content" source="../screenshot1.png" alt-text="Screenshot: Send feedback page":::
To provide feedback about the application in general, go to the **Settings** menu by selecting the three dots in the top left of the application, and select **Feedback**. The Feedback Hub is launched, where more information on the issue can be provided.
:::image type="content" source="../screenshot12.png" alt-text="Screenshot: Select Feedback to go to the Feedback Hub":::
In order for enterprise users to provide feedback, admins must unblock the Feedback Hub in the [Azure portal](https://portal.azure.com/). Go to the **Enterprise applications section** and enable **Users can allow apps to access their data**.

60
windows/configuration/cortana-at-work/cortana-at-work-o365.md
View File

@ -1,60 +0,0 @@
---
title: Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization
description: Learn how to connect Cortana to Office 365 so employees are notified about regular meetings and unusual events. You can even set an alarm for early meetings.
ms.prod: windows-client
ms.collection: tier3
ms.mktglfcycl: manage
ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
ms.date: 10/05/2017
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
---
# Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization
<!--Using include for Cortana in Windows deprecation -->
[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
## What can you do with in Windows 10, versions 1909 and earlier?
Your employees can use Cortana to help manage their day and be more productive by getting quick answers to common questions, setting reminders, adding tasks to their To-Do lists, and find out where their next meeting is.
**See also:**
[Known issues for Windows Desktop Search and Cortana in Windows 10](/troubleshoot/windows-client/shell-experience/windows-desktop-search-and-cortana-issues).
### Before you begin
There are a few things to be aware of before you start using Cortana in Windows 10, versions 1909 and earlier.
- **Microsoft Entra account.** Before your employees can use Cortana in your org, they must be logged in using their Microsoft Entra account through Cortana&#39;s notebook. They must also authorize Cortana to access Microsoft 365 on their behalf.
- **Office 365 Trust Center.** Cortana in Windows 10, version 1909 and earlier, isn&#39;t a service governed by the [Online Services Terms](https://www.microsoft.com/en-us/licensing/product-licensing/products). [Learn more about how Cortana in Windows 10, versions 1909 and earlier, treats your data](https://support.microsoft.com/en-us/help/4468233/cortana-and-privacy-microsoft-privacy).
- Windows Information Protection (WIP). If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). If you decide to use WIP, you must also have a management solution. This solution can be Microsoft Intune, Configuration Manager (version 1606 or later), or your current company-wide third-party mobile device management (MDM) solution.
- **Troubleshooting tips.** If you run into issues, check out these [troubleshooting tips](/office365/troubleshoot/miscellaneous/issues-in-cortana).
### Turn on Cortana enterprise services on employees' devices
Your employees must connect Cortana to their Microsoft 365 account to be able to use skills like email and calendar.
#### Turn on Cortana enterprise services
1. Select the **Cortana** search box in the taskbar, and then select the **Notebook** icon.
2. Select **Manage Skills** , select **Manage accounts** , and under **Microsoft 365** select **Link**. The employee will be directed to sign into their Microsoft 365 account.
3. The employee can also disconnect by selecting **Microsoft 365**, then **Unlink**.
#### Turn off Cortana enterprise services
Cortana in Windows 10, versions 1909 and earlier can only access data in your Microsoft 365 organization when it's turned on. If you don't want Cortana to access your corporate data, you can turn it off in the Microsoft 365 admin center.
1. Sign into the [Microsoft 365 admin center](https://admin.microsoft.com/) using your admin account.
2. Select the app launcher icon in the upper-left and choose **Admin**.
3. Expand **Settings** and select **Org Settings**.
4. Select **Cortana** to toggle Cortana&#39;s access to Microsoft 365 data off.

99
windows/configuration/cortana-at-work/cortana-at-work-overview.md
View File

@ -1,99 +0,0 @@
---
title: Configure Cortana in Windows 10 and Windows 11
ms.reviewer:
manager: aaroncz
description: Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and for enterprise environments.
ms.prod: windows-client
ms.collection: tier3
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
ms.technology: itpro-configure
ms.date: 12/31/2017
ms.topic: article
---
# Configure Cortana in Windows 10 and Windows 11
<!--Using include for Cortana in Windows deprecation -->
[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
## Who is Cortana?
Cortana is a personal productivity assistant in Microsoft 365, helping your users achieve more with less effort and focus on what matters. The Cortana app in Windows 10 and Windows 11 helps users quickly get information across Microsoft 365, using typed or spoken queries to connect with people, check calendars, set reminders, add tasks, and more.
:::image type="content" source="./images/screenshot1.png" alt-text="Screenshot: Cortana home page example":::
## Where is Cortana available for use in my organization?
Your employees can use Cortana in the languages listed [here](https://support.microsoft.com/help/4026948/cortanas-regions-and-languages). However, most productivity skills are currently only enabled for English (United States), for users with mailboxes in the United States.
The Cortana app in Windows 10, version 2004 requires the latest Microsoft Store update to support languages other than English (United States).
## Required hardware and software
Cortana requires a PC running Windows 10, version 1703 or later, and the following software to successfully run the included scenario in your organization.
>[!NOTE]
>A microphone isn't required to use Cortana.
| Software | Minimum version |
|---------|---------|
|Client operating system | - Windows 10, version 2004 (recommended) <br> <br> - Windows 10, version 1703 (legacy version of Cortana) <br> <br> For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](#how-is-my-data-processed-by-cortana) below. |
|Microsoft Entra ID | While all employees signing into Cortana need a Microsoft Entra account, a Microsoft Entra ID P1 or P2 tenant isn't required. |
|Additional policies (Group Policy and Mobile Device Management (MDM)) |There's a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn off Cortana. For example, if you turn **Speech** off, your employees won't be able to use the wake word ("Cortana") for hands-free activation or voice commands to easily ask for help. |
>[!NOTE]
>For Windows 11, Cortana is no longer pinned to the taskbar by default. You can still pin the Cortana app to the taskbar as you would any other app. In addition, the keyboard shortcut that launched Cortana (Win+C) no longer opens Cortana.
<a name='signing-in-using-azure-ad'></a>
## Signing in using Microsoft Entra ID
Your organization must have a Microsoft Entra tenant and your employees&#39; devices must all be Microsoft Entra joined for the best Cortana experience. (Users may also sign into Cortana with a Microsoft account, but won't be able to use their enterprise email or calendar.) For info about what a Microsoft Entra tenant is, how to get your devices joined, and other Microsoft Entra maintenance info, see [Microsoft Entra documentation.](/azure/active-directory/)
## How is my data processed by Cortana?
Cortana's approach to integration with Microsoft 365 has changed with Windows 10, version 2004 and later.
### Cortana in Windows 10, version 2004 and later, or Windows 11
Cortana enterprise services that can be accessed using Microsoft Entra ID through Cortana meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365&preserve-view=true).
#### How does Microsoft store, retain, process, and use Customer Data in Cortana?
The table below describes the data handling for Cortana enterprise services.
| Name | Description |
|---------|---------|
|**Storage** |Customer Data is stored on Microsoft servers inside the Office 365 cloud. Your data is part of your tenant. Speech audio isn't retained. |
|**Stays in Geo** |Customer Data is stored on Microsoft servers inside the Office 365 cloud in Geo. Your data is part of your tenant. |
|**Retention** |Customer Data is deleted when the account is closed by the tenant administrator or when a GDPR Data Subject Rights deletion request is made. Speech audio isn't retained. |
|**Processing and confidentiality** |Personnel engaged in the processing of Customer Data and personal data (i) will process such data only on instructions from Customer, and (ii) will be obligated to maintain the confidentiality and security of such data even after their engagement ends. |
|**Usage** |Microsoft uses Customer Data only to provide the services agreed upon, and for purposes that are compatible with those services. Machine learning to develop and improve models is one of those purposes. Machine learning is done inside the Office 365 cloud consistent with the Online Services Terms. Your data isn't used to target advertising. |
#### How does the wake word (Cortana) work? If I enable it, is Cortana always listening?
>[!NOTE]
>The wake word has been re-enabled in the latest version of Cortana in Windows. If you're on Windows 10, version 2004, be sure that you've updated to build 19041.329 or later to use the wake word with Cortana. For earlier builds, you can still click on the microphone button to use your voice with Cortana.
Cortana only begins listening for commands or queries when the wake word is detected, or the microphone button has been selected.
First, the user must enable the wake word from within Cortana settings. Once it has been enabled, a component of Windows called the [Windows Multiple Voice Assistant platform](/windows-hardware/drivers/audio/voice-activation-mva#voice-activation) will start listening for the wake word. No audio is processed by speech recognition unless two local wake word detectors and a server-side one agree with high confidence that the wake word was heard.
The first decision is made by the Windows Multiple Voice Assistant platform using hardware optionally included in the user&#39;s PC for power savings. If the wake word is detected, Windows will show a microphone icon in the system tray indicating an assistant app is listening.
:::image type="content" source="./images/screenshot2.png" alt-text="Screenshot: Microphone icon in the system tray indicating an assistant app is listening":::
At that point, the Cortana app will receive the audio, run a second, more accurate wake word detector, and optionally send it to a Microsoft cloud service where a third wake word detector will confirm. If the service doesn't confirm that the activation was valid, the audio will be discarded and deleted from any further processing or server logs. On the user&#39;s PC, the Cortana app will be silently dismissed, and no query will be shown in conversation history because the query was discarded.
If all three wake word detectors agree, the Cortana canvas will show what speech has been recognized.
### Cortana in Windows 10, versions 1909 and earlier
Cortana in Windows 10, versions 1909 and earlier, isn't a service covered by the Office 365 Trust Center. [Learn more about how Cortana in Windows 10, version 1909 and earlier, treats your data](https://go.microsoft.com/fwlink/p/?LinkId=536419).
Cortana is covered under the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement).
## See also
- [What is Cortana?](https://go.microsoft.com/fwlink/p/?LinkId=746818)

88
windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
View File

@ -1,88 +0,0 @@
---
title: Configure Cortana with Group Policy and MDM settings (Windows)
description: The list of Group Policy and mobile device management (MDM) policy settings that apply to Cortana at work.
ms.prod: windows-client
ms.collection: tier3
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
ms.date: 12/31/2017
ms.topic: article
---
# Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization
<!--Using include for Cortana in Windows deprecation -->
[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
- **Allow Cortana**
- **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana`
- **MDM policy CSP**: [Experience/AllowCortana](/windows/client-management/mdm/policy-csp-experience#experience-allowcortana)
- **Description**: Specifies if users can use Cortana.
Cortana wont work if this setting is turned off (disabled). On Windows 10, version 1809 and below, users can still do local searches, even with Cortana turned off.
- **AllowCortanaAboveLock**
- **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock`
- **MDM policy CSP**: [AboveLock/AllowCortanaAboveLock](/windows/client-management/mdm/policy-csp-abovelock#abovelock-allowcortanaabovelock)
- **Description**: Specifies whether users can interact with Cortana using voice commands when the system is locked.
This setting:
- Doesn't apply to Windows 10, versions 2004 and later
- Doesn't apply to Windows 11
- **LetAppsActivateWithVoice**
- **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsActivateWithVoice`
- **MDM policy CSP**: [Privacy/LetAppsActivateWithVoice](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsactivatewithvoice)
- **Description**: Specifies if apps, like Cortana or other voice assistants, can activate using a wake word, like “Hey Cortana”.
This setting applies to:
- Windows 10 versions 2004 and later
- Windows 11
To disable wake word activation on Windows 10 versions 1909 and earlier, disable voice commands using the [Privacy/AllowInputPersonalization CSP](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization).
- **LetAppsAccessMicrophone**
- **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsAccessMicrophone`
- **MDM policy CSP**: [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone-forcedenytheseapps)
- **Description**: Disables Cortanas access to the microphone. To use this setting, enter Cortanas Package Family Name: `Microsoft.549981C3F5F10_8wekyb3d8bbwe`. Users can still type queries to Cortana.
- **Allow users to enable online speech recognition services**
- **Group policy**: `Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow users to enable online speech recognition services`
- **MDM policy CSP**: [Privacy/AllowInputPersonalization](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization)
- **Description**: Specifies whether users can use voice commands with Cortana in your organization.
- **Windows 10, version 1511**: Cortana wont work if this setting is turned off (disabled).
- **Windows 10, version 1607 and later**: Non-speech aspects of Cortana will still work if this setting is turned off (disabled).
- **Windows 10, version 2004 and later**: Cortana will work, but voice input will be disabled.
- **AllowLocation**
- **Group policy**: None
- **MDM policy CSP**: [System/AllowLocation](/windows/client-management/mdm/policy-csp-system#system-allowlocation)
- **Description**: Specifies whether to allow app access to the Location service.
- **Windows 10, version 1511**: Cortana wont work if this setting is turned off (disabled).
- **Windows 10, version 1607 and later**: Cortana still works if this setting is turned off (disabled).
- **Windows 10, version 2004 and later**: Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11 don't use the Location service.
- **AllowMicrosoftAccountConnection**
- **Group policy**: None
- **MDM policy CSP**: [Accounts/AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection)
- **Description**: Specifies whether to allow users to sign in using a Microsoft account (MSA) from Windows apps. If you only want to allow users to sign in with their Microsoft Entra account, then disable this setting.
- **Allow search and Cortana to use location**
- **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location`
- **MDM policy CSP**: [Search/AllowSearchToUseLocation](/windows/client-management/mdm/policy-csp-search#search-allowsearchtouselocation)
- **Description**: Specifies whether Cortana can use your current location during searches and for location reminders. In **Windows 10, version 2004 and later**, Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11, don't use the Location service.
- **Don't search the web or display web results**
- **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results`
- **MDM policy CSP**: [Search/DoNotUseWebResults](/windows/client-management/mdm/policy-csp-search#search-donotusewebresults)
- **Description**: Specifies if search can do queries on the web, and if the web results are shown in search.
- **Windows 10 Pro edition**: This setting cant be managed.
- **Windows 10 Enterprise edition**: Cortana won't work if this setting is turned off (disabled).
- **Windows 10, version 2004 and later**: This setting no longer impacts Cortana.

38
windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
View File

@ -1,38 +0,0 @@
---
title: Sign into Microsoft Entra ID, enable the wake word, and try a voice query
description: A test scenario walking you through signing in and managing the notebook.
ms.prod: windows-client
ms.collection: tier3
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
ms.date: 12/31/2017
ms.topic: article
---
# Test scenario 1 Sign into Microsoft Entra ID, enable the wake word, and try a voice query
<!--Using include for Cortana in Windows deprecation -->
[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
>[!NOTE]
>The wake word has been re-enabled in the latest version of Cortana in Windows. If you're on Windows 10, version 2004, be sure that you've updated to build 19041.329 or later to use the wake word with Cortana. For earlier builds, you can still click on the microphone button to use your voice with Cortana.
1. Select the **Cortana** icon in the task bar and sign in using your Microsoft Entra account.
2. Select the &quot;&quot; menu and select **Talking to Cortana**.
3. Toggle **Wake word** to **On** and close Cortana.
4. Say **Cortana, what can you do?**
When you say **Cortana**, Cortana will open in listening mode to acknowledge the wake word.
:::image type="content" source="../screenshot4.png" alt-text="Screenshot: Cortana listening mode":::
Once you finish saying your query, Cortana will open with the result.
>[!NOTE]
>If you've disabled the wake word using MDM or Group Policy, you will need to manually activate the microphone by selecting Cortana, then the mic button.

28
windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
View File

@ -1,28 +0,0 @@
---
title: Perform a quick search with Cortana at work (Windows)
description: This scenario is a test scenario about how to perform a quick search with Cortana at work.
ms.prod: windows-client
ms.collection: tier3
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
ms.date: 10/05/2017
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
---
# Test scenario 2 Perform a Bing search with Cortana
<!--Using include for Cortana in Windows deprecation -->
[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
1. Select the **Cortana** icon in the taskbar.
2. Type **What time is it in Hyderabad?**.
Cortana will respond with the information from Bing.
:::image type="content" source="../screenshot5.png" alt-text="Screenshot: Cortana showing current time in Hyderabad":::
>[!NOTE]
>This scenario requires Bing Answers to be enabled. To learn more, see [Set up and configure the Bing Answers feature](./set-up-and-test-cortana-in-windows-10.md#set-up-and-configure-the-bing-answers-feature).

27
windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
View File

@ -1,27 +0,0 @@
---
title: Set a reminder for a location with Cortana at work (Windows)
description: A test scenario about how to set a location-based reminder using Cortana at work.
ms.prod: windows-client
ms.collection: tier3
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
ms.date: 10/05/2017
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
---
# Test scenario 3 - Set a reminder
<!--Using include for Cortana in Windows deprecation -->
[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
This scenario helps you set up, review, and edit a reminder. For example, you can remind yourself to send someone a link to a document after a meeting.
1. Select the **Cortana** icon in the taskbar and type **Remind me to send a link to the deck at 3:05pm** and press **Enter**.
Cortana will create a reminder in Microsoft To Do and will remind you at the appropriate time.
:::image type="content" source="../screenshot6.png" alt-text="Screenshot: Cortana set a reminder":::
:::image type="content" source="../screenshot7.png" alt-text="Screenshot: Cortana showing reminder on page":::

30
windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
View File

@ -1,30 +0,0 @@
---
title: Use Cortana at work to find your upcoming meetings (Windows)
description: A test scenario on how to use Cortana at work to find your upcoming meetings.
ms.prod: windows-client
ms.collection: tier3
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
ms.date: 10/05/2017
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
---
# Test scenario 4 - Use Cortana to find free time on your calendar for your upcoming meetings.
<!--Using include for Cortana in Windows deprecation -->
[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
This scenario helps you find out if a time slot is free on your calendar.
1. Select the **Cortana** icon in the taskbar.
2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
3. Type **Am I free at 3 PM tomorrow?**
Cortana will respond with your availability for that time, and nearby meetings.
:::image type="content" source="../screenshot8.png" alt-text="Screenshot: Cortana showing free time on a calendar":::

27
windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
View File

@ -1,27 +0,0 @@
---
title: Use Cortana to send email to a coworker (Windows)
description: A test scenario about how to use Cortana at work to send email to a coworker.
ms.prod: windows-client
ms.collection: tier3
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
ms.date: 10/05/2017
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
---
# Test scenario 5 - Test scenario 5 Find out about a person
<!--Using include for Cortana in Windows deprecation -->
[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
Cortana can help you quickly look up information about someone or the org chart.
1. Select the **Cortana** icon in the taskbar.
2. Type or select the mic and say, **Who is name of person in your organization's?**
:::image type="content" source="../screenshot9.png" alt-text="Screenshot: Cortana showing name of person in your organization":::
Cortana will respond with information about the person. You can select the person to see more information about them in Microsoft Search.

27
windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
View File

@ -1,27 +0,0 @@
---
title: Review a reminder suggested by Cortana (Windows)
description: A test scenario on how to use Cortana with the Suggested reminders feature.
ms.prod: windows-client
ms.collection: tier3
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
ms.date: 10/05/2017
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
---
# Test scenario 6 Change your language and perform a quick search with Cortana
<!--Using include for Cortana in Windows deprecation -->
[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
Cortana can help employees in regions outside the US search for quick answers like currency conversions, time zone conversions, or weather in their location.
1. Select the **Cortana** icon in the taskbar.
2. Select the **…** menu, then select **Settings**, **Language**, then select **Español (España)**. You'll be prompted to restart the app.
3. Once the app has restarted, type or say **Convierte 100 Euros a Dólares**.
:::image type="content" source="../screenshot10.png" alt-text="Screenshot: Cortana showing a change your language and showing search results in Spanish":::

38
windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
View File

@ -1,38 +0,0 @@
---
title: Help protect data with Cortana and WIP (Windows)
description: An optional test scenario about how to use Cortana at work with Windows Information Protection (WIP).
ms.prod: windows-client
ms.collection: tier3
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
ms.date: 10/05/2017
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
---
# Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organizations data on a device
<!--Using include for Cortana in Windows deprecation -->
[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
>[!IMPORTANT]
>The data created as part of these scenarios will be uploaded to Microsofts Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
This optional scenario helps you to protect your organizations data on a device, based on an inspection by Cortana.
## Use Cortana and WIP to protect your organizations data
1. Create and deploy a WIP policy to your organization. For information about how to do this step, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip).
2. Create a new email from a non-protected or personal mailbox, including the text _Ill send you that presentation tomorrow_.
3. Wait up to 2 hours to make sure everything has updated, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
Cortana automatically pulls your commitment to sending the presentation out of your email, showing it to you.
4. Create a new email from a protected mailbox, including the same text as above, _Ill send you that presentation tomorrow_.
5. Wait until everything has updated again, click the **Cortana** icon in the taskbar, and then click in the **Search** bar.
Because it was in an WIP-protected email, the presentation info isnt pulled out and it isnt shown to you.

28
windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
View File

@ -1,28 +0,0 @@
---
title: Cortana at work testing scenarios
description: Suggested testing scenarios that you can use to test Cortana in your organization.
ms.prod: windows-client
ms.collection: tier3
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
ms.date: 06/28/2021
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
---
# Cortana at work testing scenarios
<!--Using include for Cortana in Windows deprecation -->
[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to:
- [Sign into Microsoft Entra ID, enable the Cortana wake word, and try a voice query](cortana-at-work-scenario-1.md)
- [Perform a Bing search with Cortana](cortana-at-work-scenario-2.md)
- [Set a reminder](cortana-at-work-scenario-3.md)
- [Use Cortana to find free time on your calendar](cortana-at-work-scenario-4.md)
- [Find out about a person](cortana-at-work-scenario-5.md)
- [Change your language and perform a quick search with Cortana](cortana-at-work-scenario-6.md)
- [Use Windows Information Protection (WIP) to secure content on a device and then try to manage your organizations entries in the notebook](cortana-at-work-scenario-7.md)

64
windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
View File

@ -1,64 +0,0 @@
---
title: Set up and test custom voice commands in Cortana for your organization (Windows)
description: How to create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps.
ms.prod: windows-client
ms.collection: tier3
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
ms.date: 10/05/2017
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
---
# Set up and test custom voice commands in Cortana for your organization
<!--Using include for Cortana in Windows deprecation -->
[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
>[!NOTE]
>This content applies to Cortana in versions 1909 and earlier, but will not be available in future releases.
Working with a developer, you can create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. These voice-enabled actions can reduce the time necessary to access your apps and to complete simple actions.
## High-level process
Cortana uses a Voice Command Definition (VCD) file, aimed at an installed app, to define the actions that are to happen during certain vocal commands. A VCD file can be simple to complex, supporting anything from a single sound to a collection of more flexible, natural language sounds, all with the same intent.
To enable voice commands in Cortana
1. **Extend your LOB app.** Add a custom VCD file to your app package. This file defines what capabilities are available to Cortana from the app, letting you tell Cortana what vocal commands should be understood and handled by your app and how the app should start when the command is vocalized.
Cortana can perform actions on apps in the foreground (taking focus from Cortana) or in the background (allowing Cortana to keep focus). We recommend that you decide where an action should happen, based on what your voice command is intended to do. For example, if your voice command requires employee input, its best for that to happen in the foreground. However, if the app only uses basic commands and doesnt require interaction, it can happen in the background.
- **Start Cortana with focus on your app, using specific voice-enabled statements.** [Activate a foreground app with voice commands through Cortana](/cortana/voice-commands/launch-a-foreground-app-with-voice-commands-in-cortana).
- **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Activate a background app in Cortana using voice commands](/cortana/voice-commands/launch-a-background-app-with-voice-commands-in-cortana).
2. **Install the VCD file on employees' devices**. You can use Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization.
## Test scenario: Use voice commands in a Microsoft Store app
While these apps aren't line-of-business apps, we've worked to make sure to implement a VCD file, allowing you to test how the functionality works with Cortana in your organization.
**To get a Microsoft Store app**
1. Go to the Microsoft Store, scroll down to the **Collections** area, select **Show All**, and then select **Better with Cortana**.
2. Select **Uber**, and then select **Install**.
3. Open Uber, create an account or sign in, and then close the app.
**To set up the app with Cortana**
1. Select on the **Cortana** search box in the taskbar, and then select the **Notebook** icon.
2. Select on **Connected Services**, select **Uber**, and then select **Connect**.
![Cortana at work, showing where to connect the Uber service to Cortana.](../images/cortana-connect-uber.png)
**To use the voice-enabled commands with Cortana**
1. Select on the **Cortana** icon in the taskbar, and then select the **Microphone** icon (to the right of the **Search** box).
2. Say _Uber get me a taxi_.
Cortana changes, letting you provide your trip details for Uber.
## See also
- [Cortana for developers](/cortana/skills/)

BIN
windows/configuration/cortana-at-work/images/screenshot1.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 2.8 MiB

BIN
windows/configuration/cortana-at-work/images/screenshot2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 24 KiB

14
windows/configuration/cortana-at-work/includes/cortana-deprecation.md
View File

@ -1,14 +0,0 @@
---
author: mestew
ms.author: mstewart
manager: aaroncz
ms.subservice: itpro-updates
ms.service: windows-client
ms.topic: include
ms.date: 06/08/2023
ms.localizationpriority: medium
---
<!--This file is shared by all Cortana in Windows (standalone app) articles under /windows/configuration. 7987543 -->
> [!Important]
> Cortana in Windows as a standalone app is [deprecated](/windows/whats-new/deprecated-features). This change only impacts Cortana in Windows, and your productivity assistant, Cortana, will continue to be available in Outlook mobile, Teams mobile, Microsoft Teams display, and Microsoft Teams rooms.

52
windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
View File

@ -1,52 +0,0 @@
---
title: Set up and test Cortana in Windows 10, version 2004 and later
ms.reviewer:
manager: aaroncz
description: Cortana includes powerful configuration options specifically to optimize unique small to medium-sized business and enterprise environments.
ms.prod: windows-client
ms.collection: tier3
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
ms.technology: itpro-configure
ms.date: 12/31/2017
ms.topic: article
---
# Set up and test Cortana in Windows 10, version 2004 and later
<!--Using include for Cortana in Windows deprecation -->
[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
## Before you begin
- If your enterprise had previously disabled Cortana for your employees using the **Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana** Group Policy or the **Experience\AllowCortana** MDM setting but want to enable it now that Cortana is part of Microsoft 365, you'll need to re-enable it at least for Windows 10, version 2004 and later, or Windows 11.
- **Cortana is regularly updated through the Microsoft Store.** Beginning with Windows 10, version 2004, Cortana is an appx preinstalled with Windows and is regularly updated through the Microsoft Store. To receive the latest updates to Cortana, you'll need to [enable updates through the Microsoft Store](../stop-employees-from-using-microsoft-store.md).
## Set up and configure the Bing Answers feature
Bing Answers provides fast, authoritative results to search queries based on search terms. When the Bing Answers feature is enabled, users will be able to ask Cortana web-related questions in the Cortana in Windows app, such as &quot;What&#39;s the current weather?&quot; or &quot;Who is the president of the U.S.?,&quot; and get a response, based on public results from Bing.com.
The above experience is powered by Microsoft Bing, and Cortana sends the user queries to Bing. The use of Microsoft Bing is governed by the [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement) and [Privacy Statement](https://privacy.microsoft.com/en-US/privacystatement).
## Configure the Bing Answers feature
Admins can configure the Cortana in Windows Bing Answers feature for their organizations. As the admin, use the following steps to change the setting for Bing Answers at the tenant/security group level. This setting is enabled by default, so that all users who have Cortana enabled will be able to receive Bing Answers. By default, the Bing Answer feature will be available to your users.
Users can't enable or disable the Bing Answer feature individually. So, if you disable this feature at the tenant/security group level, no users in your organization or specific security group will be able to use Bing Answers in Cortana in Windows.
Sign in to the [Office Configuration Admin tool](https://config.office.com/).
Follow the steps [here](/deployoffice/overview-office-cloud-policy-service#steps-for-creating-a-policy-configuration) to create this policy configuration. Once completed, the policy will look as shown below:
:::image type="content" source="../screenshot3.png" alt-text="Screenshot: Bing policy example":::
## How does Microsoft handle customer data for Bing Answers?
When a user enters a search query (by speech or text), Cortana evaluates if the request is for any of our first-party compliant skills if enabled in a specific market, and does the following actions:
1. If it is for any of the first-party compliant skills, the query is sent to that skill, and results/action are returned.
2. If it isn't for any of the first-party compliant skills, the query is sent to Bing for a search of public results from Bing.com. Because enterprise searches might be sensitive, similar to [Microsoft Search in Bing](/MicrosoftSearch/security-for-search#microsoft-search-in-bing-protects-workplace-searches), Bing Answers in Cortana has implemented a set of trust measures, described below, that govern how the separate search of public results from Bing.com is handled. The Bing Answers in Cortana trust measures are consistent with the enhanced privacy and security measures described in [Microsoft Search in Bing](/MicrosoftSearch/security-for-search). All Bing.com search logs that pertain to Cortana traffic are disassociated from users&#39; workplace identity. All Cortana queries issued via a work or school account are stored separately from public, non-Cortana traffic.
Bing Answers is enabled by default for all users. However, admins can configure and change this setting for specific users and user groups in their organization.
## How the Bing Answer policy configuration is applied
Before a query is sent to Bing for a search of public results from Bing.com, the Bing Answers service checks with the Office Cloud Policy Service to see if there are any policy configurations that pertain to the user for allowing Bing Answers to respond to questions users ask Cortana. If the user is a member of a Microsoft Entra group that is assigned that policy configuration, then the appropriate policy settings are applied and a check is made again in 10 minutes.

48
windows/configuration/cortana-at-work/test-scenario-1.md
View File

@ -1,48 +0,0 @@
---
title: Test scenario 1 Sign in with your work or school account and use Cortana to manage the notebook
description: A test scenario about how to sign in with your work or school account and use Cortana to manage the notebook.
ms.prod: windows-client
ms.collection: tier3
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
ms.date: 10/05/2017
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
---
# Test scenario 1 Sign in with your work or school account and use Cortana to manage the notebook
<!--Using include for Cortana in Windows deprecation -->
[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
This scenario turns on Microsoft Entra ID and lets your employee use Cortana to manage an entry in the notebook.
## Sign in with your work or school account
This process helps you to sign out of a Microsoft Account and to sign into a Microsoft Entra account.
1. Click on the **Cortana** icon in the taskbar, then click the profile picture in the navigation to open Cortana settings.
2. Click your email address.
A dialog box appears, showing the associated account info.
3. Click **Sign out** under your email address.
This signs out the Microsoft account, letting you continue to add your work or school account.
4. Open Cortana again and select the **Sign in** glyph in the left rail and follow the instructions to sign in with your work or school account.
## Use Cortana to manage the notebook content
This process helps you to manage the content Cortana shows in your Notebook.
1. Select the **Cortana** icon in the taskbar, click **Notebook**, select **Manage Skills.** Scroll down and click **Weather**.
2. In the **Weather** settings, scroll down to the **Cities you're tracking** area, and then click **Add a city**.
3. Add **Redmond, Washington**.
> [!IMPORTANT]
> The data created as part of these scenarios will be uploaded to Microsoft's Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.

40
windows/configuration/cortana-at-work/test-scenario-2.md
View File

@ -1,40 +0,0 @@
---
title: Test scenario 2 - Perform a quick search with Cortana at work
description: A test scenario about how to perform a quick search with Cortana at work.
ms.prod: windows-client
ms.collection: tier3
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
ms.date: 10/05/2017
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
---
# Test scenario 2 Perform a quick search with Cortana at work
<!--Using include for Cortana in Windows deprecation -->
[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
>[!Important]
>The data created as part of these scenarios will be uploaded to Microsofts Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
This scenario helps you perform a quick search using Cortana, both by typing and through voice commands.
## Search using Cortana
1. Click on the Cortana icon in the taskbar, and then click in the Search bar.
2. Type **Type Weather in New York**.
You should see the weather in New York, New York at the top of the search results.
Insert screenshot
## Search with Cortana, by using voice commands
This process helps you to use Cortana at work and voice commands to perform a quick search.
1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the Search box).
2. Say **What's the weather in Chicago?** Cortana tells you and shows you the current weather in Chicago.
Insert screenshot

81
windows/configuration/cortana-at-work/test-scenario-3.md
View File

@ -1,81 +0,0 @@
---
title: Test scenario 3 - Set a reminder for a specific location using Cortana at work
description: A test scenario about how to set up, review, and edit a reminder based on a location.
ms.prod: windows-client
ms.collection: tier3
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
ms.date: 10/05/2017
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
---
# Test scenario 3 - Set a reminder for a specific location using Cortana at work
<!--Using include for Cortana in Windows deprecation -->
[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
>[!Important]
>The data created as part of these scenarios will be uploaded to Microsofts Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
This scenario helps you set up, review, and edit a reminder based on a location. For example, reminding yourself to grab your expense report receipts before you leave the house.
>[!Note]
>You can set each reminder location individually as you create the reminders, or you can go into the About me screen and add both Work and Home addresses as favorites. Make sure that you use real addresses since youll need to go to these locations to complete your testing scenario.
Additionally, if youve turned on the Meeting & reminder cards & notifications option (in the Meetings & reminders option of your Notebook), youll also see your pending reminders on the Cortana Home page.
## Create a reminder for a specific location
This process helps you to create a reminder based on a specific location.
1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**.
2. Click the **+** sign, add a subject for your reminder, such as **Remember to file expense report receipts**, and then click **Place**.
3. Choose **Arrive** from the drop-down box, and then type a location to associate with your reminder. For example, you can use the physical address of where you work. Just make sure you can physically get to your location, so you can test the reminder.
4. Click **Done**.
>[!Note]
>If youve never used this location before, youll be asked to add a name for it so it can be added to the Favorites list in Windows Maps.
5. Choose to be reminded the Next time you arrive at the location or on a specific day of the week from the drop-down box.
6. Take a picture of your receipts and store them locally on your device.
7. Click **Add Photo**, click **Library**, browse to your picture, and then click **OK**.
The photo is stored with the reminder.
Insert screenshot 6
8. Review the reminder info, and then click **Remind**.
The reminder is saved and ready to be triggered.
Insert screenshot
## Create a reminder for a specific location by using voice commands
This process helps you to use Cortana at work and voice commands to create a reminder for a specific location.
1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone* icon (to the right of the Search box).
2. Say **Remind me to grab my expense report receipts before I leave home**.
Cortana opens a new reminder task and asks if it sounds good.
insert screenshot
3. Say **Yes** so Cortana can save the reminder.
insert screenshot
## Edit or archive an existing reminder
This process helps you to edit or archive and existing or completed reminder.
1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**.
2. Click the pending reminder you want to edit.
3. Change any text that you want to change, click **Add photo** if you want to add or replace an image, click **Delete** if you want to delete the entire reminder, click Save to save your changes, and click **Complete and move to History** if you want to save a completed reminder in your **Reminder History**.

54
windows/configuration/cortana-at-work/test-scenario-4.md
View File

@ -1,54 +0,0 @@
---
title: Use Cortana to find your upcoming meetings at work (Windows)
description: A test scenario about how to use Cortana at work to find your upcoming meetings.
ms.prod: windows-client
ms.collection: tier3
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
ms.date: 10/05/2017
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
---
# Test scenario 4 - Use Cortana to find your upcoming meetings at work
<!--Using include for Cortana in Windows deprecation -->
[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
>[!Important]
>The data created as part of these scenarios will be uploaded to Microsofts Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
This scenario helps you search for both general upcoming meetings, and specific meetings, both manually and verbally.
>[!Note]
>If youve turned on the Meeting & reminder cards & notifications option (in the Meetings & reminders option of your Notebook), youll also see your pending reminders on the Cortana Home page.
## Find out about upcoming meetings
This process helps you find your upcoming meetings.
1. Check to make sure your work calendar is connected and synchronized with your Microsoft Entra account.
2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
3. Type **Show me my meetings for tomorrow**.
Youll see all your meetings scheduled for the next day.
Cortana at work, showing all upcoming meetings
screenshot
## Find out about upcoming meetings by using voice commands
This process helps you to use Cortana at work and voice commands to find your upcoming meetings.
1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the Search box.
2. Say **Show me what meeting I have at 3pm tomorrow**.
>[!Important]
>Make sure that you have a meeting scheduled for the time you specify here.
Cortana at work, showing the meeting scheduled for 3pm
screenshot

63
windows/configuration/cortana-at-work/test-scenario-5.md
View File

@ -1,63 +0,0 @@
---
title: Use Cortana to send an email to co-worker (Windows)
description: A test scenario on how to use Cortana at work to send email to a co-worker.
ms.prod: windows-client
ms.collection: tier3
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
ms.date: 10/05/2017
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
---
# Test scenario 5 - Use Cortana to send an email to co-worker
<!--Using include for Cortana in Windows deprecation -->
[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
>[!Important]
>The data created as part of these scenarios will be uploaded to Microsofts Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
This scenario helps you to send an email to a co-worker listed in your work address book, both manually and verbally.
## Send email to a co-worker
This process helps you to send a quick message to a co-worker from the work address book.
1. Check to make sure your Microsoft Outlook or mail app is connected and synchronized with your Microsoft Entra account.
2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
3. Type **Send an email to <contact_name>**.
Where <contact_name> is the name of someone in your work address book.
4. Type your email message subject into the **Quick message** (255 characters or less) box and your message into the **Message** (unlimited characters) box, and then click **Send**.
Cortana at work, showing the email text
screenshot
## Send an email to a co-worker by using voice commands
This process helps you to use Cortana at work and voice commands to send a quick message to a co-worker from the work address book.
1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the Search box.
2. Say **Send an email** to <contact_name>.
Where <contact_name> is the name of someone in your work address book.
3. Add your email message by saying, **Hello this is a test email using Cortana at work**.
The message is added and youre asked if you want to **Send it**, **Add more**, or **Make changes**.
Cortana at work, showing the email text created from verbal commands
screenshot
4. Say **Send it**.
The email is sent.
Cortana at work, showing the sent email text
screenshot

50
windows/configuration/cortana-at-work/test-scenario-6.md
View File

@ -1,50 +0,0 @@
---
title: Test scenario 6 - Review a reminder suggested by Cortana based on what youve promised in email
description: A test scenario about how to use Cortana with the Suggested reminders feature.
ms.prod: windows-client
ms.collection: tier3
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
ms.date: 10/05/2017
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
---
# Test scenario 6 - Review a reminder suggested by Cortana based on what youve promised in email
<!--Using include for Cortana in Windows deprecation -->
[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
>[!Important]
>The data created as part of these scenarios will be uploaded to Microsofts Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. For more info, see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement).
Cortana automatically finds patterns in your email, suggesting reminders based things that you said you would do so you dont forget about them. For example, Cortana recognizes that if you include the text, Ill get something to you by the end of the week in an email, you're making a commitment to provide something by a specific date. Cortana can now suggest that you be reminded about this event, letting you decide whether to keep it or to cancel it.
>[!Important]
>The Suggested reminders feature is currently only available in English (en-us).
## Use Cortana to create suggested reminders for you
1. Make sure that you've connected Cortana to Office 365. For the steps to connect, see [Set up and test Cortana with Office 365 in your organization](./cortana-at-work-o365.md).
2. Click on the **Cortana** search box in the taskbar, click the **Notebook** icon, and then click **Permissions**.
3. Make sure the **Contacts**, **email**, **calendar**, and **communication history** option is turned on.
Permissions options for Cortana at work
screenshot
4. Click the **Notebook** icon again, click the **Suggested reminders** option, click to turn on the **All reminder suggestions cards** option, click the **Notify me when something I mentioned doing is coming up** box, and then click **Save**.
Suggested reminders options for Cortana at work
screenshot
5. Create and send an email to yourself (so you can see the Suggested reminder), including the text, **Ill finish this project by end of day today**.
6. After you get the email, click on the Cortana **Home** icon, and scroll to todays events.
If the reminder has a specific date or time associated with it, like end of day, Cortana notifies you at the appropriate time and puts the reminder into the Action Center. Also from the Home screen, you can view the email where you made the promise, set aside time on your calendar, officially set the reminder, or mark the reminder as completed.
Cortana Home screen with your suggested reminder showing
screenshot

27
windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md
View File

@ -1,27 +0,0 @@
---
title: Testing scenarios using Cortana in your business or organization
description: A list of suggested testing scenarios that you can use to test Cortana in your organization.
ms.prod: windows-client
ms.collection: tier3
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
ms.date: 10/05/2017
ms.reviewer:
manager: aaroncz
ms.technology: itpro-configure
---
# Testing scenarios using Cortana in your business or organization
<!--Using include for Cortana in Windows deprecation -->
[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to:
- [Sign in with your work or school account and use Cortana to manage the notebook](./cortana-at-work-scenario-1.md)
- [Perform a quick search with Cortana at work](./cortana-at-work-scenario-2.md)
- [Set a reminder for a specific location using Cortana at work](./cortana-at-work-scenario-3.md)
- [Use Cortana at work to find your upcoming meetings](./cortana-at-work-scenario-4.md)
- [Use Cortana to send email to a co-worker](./cortana-at-work-scenario-5.md)
- [Review a reminder suggested by Cortana based on what you&#39;ve promised in email](./cortana-at-work-scenario-6.md)
- [Use Cortana and Windows Information Protection (WIP) to help protect your organization&#39;s data on a device](./cortana-at-work-scenario-7.md)

BIN
windows/configuration/images/cortana-connect-uber.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 40 KiB

BIN
windows/configuration/screenshot1.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 2.8 MiB

BIN
windows/configuration/screenshot10.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 9.5 KiB

BIN
windows/configuration/screenshot12.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 113 KiB

BIN
windows/configuration/screenshot3.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 71 KiB

BIN
windows/configuration/screenshot4.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 17 KiB

BIN
windows/configuration/screenshot5.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 19 KiB

BIN
windows/configuration/screenshot6.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/configuration/screenshot7.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 75 KiB

BIN
windows/configuration/screenshot8.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 53 KiB

BIN
windows/configuration/screenshot9.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 59 KiB

2
windows/configuration/setup-digital-signage.md
View File

@ -21,7 +21,7 @@ ms.technology: itpro-configure
Digital signage can be a useful and exciting business tool. Use digital signs to showcase your products and services, to display testimonials, or to advertise promotions and campaigns. A digital sign can be a static display, such as a building directory or menu, or it can be dynamic, such as repeating videos or a social media feed.
For digital signage, simply select a digital sign player as your kiosk app. You can also use [Microsoft Edge in kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) or the Kiosk Browser app, and configure it to show your online content.
For digital signage, simply select a digital sign player as your kiosk app. You can also use [Microsoft Edge in kiosk mode](/DeployEdge/microsoft-edge-configure-kiosk-mode) or the Kiosk Browser app, and configure it to show your online content.
>[!TIP]
>Kiosk Browser can also be used in [single-app kiosks](kiosk-single-app.md) and [multi-app kiosk](lock-down-windows-10-to-specific-apps.md) as a web browser. For more information, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers).

2
windows/deployment/TOC.yml
View File

@ -3,8 +3,6 @@
items:
- name: Get started
items:
- name: What's new
href: deploy-whats-new.md
- name: Windows client deployment scenarios
href: windows-deployment-scenarios.md
- name: Quick guide to Windows as a service

21
windows/deployment/Windows-AutoPilot-EULA-note.md
View File

@ -1,21 +0,0 @@
---
title: Windows Autopilot EULA dismissal important information
description: A notice about EULA dismissal through Windows Autopilot
ms.service: windows-client
ms.localizationpriority: medium
ms.date: 11/23/2022
author: frankroj
ms.author: frankroj
manager: aaroncz
ROBOTS: NOINDEX
ms.topic: article
ms.subservice: itpro-deploy
---
# Windows Autopilot EULA dismissal important information
> [!IMPORTANT]
> The information below isn't the EULA. It is a notice of awareness to the administrator that's configuring to skip End User License Agreement (EULA) during the OOBE (Out-of-Box Experience).
Using this tool allows you to configure individual installations of Windows on devices managed by your organization. You may choose to suppress or hide certain set-up screens that are normally presented to users when setting up Windows, including the EULA acceptance screen.
By using this function, you agree that suppressing or hiding any screens that are designed to provide users with notice or acceptance of terms means that you, on behalf of your organization or the individual user as the case may be, have consented to the notices and accepted the applicable terms. This consent includes your agreement to the terms and conditions of the license or notice that would be presented to the user if you didn't suppress or hide it using this tool. You and your users may not use the Windows software on those devices if you haven't validly acquired a license for the software from Microsoft or its licensed distributors.

227
windows/deployment/deploy-whats-new.md
View File

@ -1,227 +0,0 @@
---
title: What's new in Windows client deployment
description: Use this article to learn about new solutions and online content related to deploying Windows in your organization.
ms.localizationpriority: medium
ms.service: windows-client
ms.subservice: itpro-deploy
author: frankroj
manager: aaroncz
ms.author: frankroj
ms.topic: conceptual
ms.collection:
- highpri
- tier2
ms.date: 01/18/2024
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# What's new in Windows client deployment
This article provides an overview of new solutions and online content related to deploying Windows client in your organization.
- For an all-up overview of new features in Windows, see [What's new in Windows](/windows/whats-new/).
## [Preview] Windows Autopilot diagnostics page
When you deploy Windows 11 with Autopilot, you can enable users to view additional information about the Autopilot provisioning process. A new **Windows Autopilot diagnostics Page** is available to provide IT admins and end users with a user-friendly view to troubleshoot Autopilot failures. For more information, see [Windows Autopilot: What's new](/mem/autopilot/windows-autopilot-whats-new#preview-windows-autopilot-diagnostics-page).
## Windows 11
Check out the following new articles about Windows 11:
- [Overview of Windows 11](/windows/whats-new/windows-11).
- [Plan for Windows 11](/windows/whats-new/windows-11-plan).
- [Prepare for Windows 11](/windows/whats-new/windows-11-prepare).
- [Windows ADK for Windows 11](/windows-hardware/get-started/adk-install) is available.
## Deployment tools
- [SetupDiag](#setupdiag) is included with all currently supported versions of Windows.
- New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).
- VPN support is added to [Windows Autopilot](#windows-autopilot).
- An in-place upgrade wizard is available in [Configuration Manager](#microsoft-configuration-manager).
## The Modern Desktop Deployment Center
The [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home) has content to help you with large-scale deployment of supported version of Windows and Microsoft 365 Apps for enterprise.
## Microsoft 365
Microsoft 365 is a new offering from Microsoft that combines:
- A currently supported version of Windows.
- Office 365.
- Enterprise Mobility and Security (EMS).
See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, which now includes a link to download a [Microsoft 365 Enterprise poster](deploy-m365.md#microsoft-365-enterprise-poster).
## Windows servicing and support
### Delivery Optimization
Windows PowerShell cmdlets for Delivery Optimization is improved:
- **Get-DeliveryOptimizationStatus** has the **-PeerInfo** option for a real-time peek behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent).
- **Get-DeliveryOptimizationLogAnalysis** is a new cmdlet that provides a summary of the activity in your DO log (# of downloads, downloads from peers, overall peer efficiency). Use the **-ListConnections** option to for in-depth look at peer-to-peer connections.
- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to help in troubleshooting.
Other improvements in [Delivery Optimization](./do/waas-delivery-optimization.md) include:
- Enterprise network [throttling is enhanced](/windows-insider/archive/new-for-business#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
- Automatic cloud-based congestion detection is available for PCs with cloud service support.
- Improved peer efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](/windows/client-management/mdm/policy-csp-deliveryoptimization). These policies now support Microsoft 365 Apps for enterprise updates and Intune content.
The following Delivery Optimization policies are removed in the Windows 10, version 2004 release:
- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth).
- Reason: Replaced with separate policies for foreground and background.
- Max Upload Bandwidth (DOMaxUploadBandwidth).
- Reason: impacts uploads to internet peers only, which isn't used in enterprises.
- Absolute max throttle (DOMaxDownloadBandwidth).
- Reason: separated to foreground and background.
### Windows Update for Business
[Windows Update for Business](./update/waas-manage-updates-wufb.md) enhancements in this release include:
- **Intune console updates**: target version is now available allowing you to specify which supported version of Windows you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
- **Validation improvements**: To ensure devices and end users stay productive and protected, Microsoft blocks devices from updating when there are known issues affect that device. Also, to better enable IT administrators to validate on the latest release, a new policy is available that enables admins to opt devices out of the built-in safeguard holds.
- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows automatically signs in as the user and locks their device in order to complete the update. Automatic sign-on ensures that when the user returns and unlocks the device, the update is completed.
- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There's now a single, common start date for phased deployments (no more SAC-T designation). In addition, there's a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
- **Pause updates**: The ability to pause updates for both feature and monthly updates is extended. This extension ability is for all currently supported editions of Windows, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, the device needs to update before pausing again.
- **Improved update notifications**: When there's an update requiring you to restart your device, a colored dot appears on the Power button in the Start menu and on the Windows icon in the taskbar.
- **Intelligent active hours**: To further enhance active hours, users now can let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
- **Improved update orchestration to improve system responsiveness**: This feature improves system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
Microsoft previously announced that we're [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. These editions include all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Microsoft 365 Apps for enterprise will continue to be supported for 18 months (there's no change for these editions). These support policies are summarized in the following table:
:::image type="content" alt-text="Support lifecycle." source="images/support-cycle.png":::
## Windows 10 Enterprise upgrade
Windows 10 version 1703 includes a Windows 10 Enterprise E3 and E5 benefit to Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA). These customers can now subscribe users to Windows 10 Enterprise E3 or E5 and activate their subscriptions on up to five devices. Virtual machines can also be activated. For more information, see [Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md).
Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. With Windows 10 Enterprise E3 in CSP, small and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features.
For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
## Deployment solutions and tools
### Windows Autopilot
[Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose, and recover devices.
With the release of Windows 10, version 2004 you can configure [Windows Autopilot user-driven](/windows/deployment/windows-autopilot/user-driven) Microsoft Entra hybrid join with VPN support.
If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios now skip the language, locale, and keyboard pages. In previous versions, these language settings were only supported with self-deploying profiles.
The following Windows Autopilot features are available in Windows 10, version 1903 and later:
- [Windows Autopilot for pre-provisioned deployment](/autopilot/pre-provision) is new in Windows 10, version 1903. Pre-provisioned deployment enables partners or IT staff to pre-provision devices so they're fully configured and business ready for your users.
- The Intune [enrollment status page](/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions.
- [Cortana voiceover](/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
- Windows Autopilot is self-updating during OOBE. From Windows 10 onward, version 1903 Autopilot functional and critical updates begin downloading automatically during OOBE.
- Windows Autopilot sets the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
### Microsoft Configuration Manager
An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuration Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364).
### Windows 10 Subscription Activation
Windows 10 Education support is added to Windows 10 Subscription Activation.
With Windows 10, version 1903, you can step up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions - Windows 10 Education. For more information, see [Windows 10 Subscription Activation](./windows-10-subscription-activation.md).
### SetupDiag
[SetupDiag](upgrade/setupdiag.md) is a command-line tool that can help diagnose why an update of Windows failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues.
During the upgrade process, Windows Setup extracts all its sources files to the `%SystemDrive%\$Windows.~bt\Sources` directory. **SetupDiag.exe** is also installed to this directory. If there's an issue with the upgrade, SetupDiag automatically runs to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under `%SystemDrive%\Windows.Old` for cleanup.
### Upgrade Readiness
Upgrade Readiness helps you ensure that applications and drivers are ready for an upgrade of Windows. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details.
Input from the community heavily influenced the development of Upgrade Readiness and the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
For more information about Upgrade Readiness, see the following articles:
- [Windows Analytics blog](https://aka.ms/blog/WindowsAnalytics/).
- [Manage Windows upgrades with Upgrade Readiness](/mem/configmgr/desktop-analytics/overview).
### Update Compliance
Update Compliance helps you to keep supported Windows devices in your organization secure and up-to-date.
Update Compliance is a solution built using OMS Logs and Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md).
### Device Health
Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by helping to identify devices crashes and the cause. Device drivers that are causing crashes are identified along with alternative drivers that might reduce the number of crashes. Windows Information Protection misconfigurations are also identified. For more information, see [Monitor the health of devices with Device Health](/mem/configmgr/desktop-analytics/overview).
### MBR2GPT
MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. Previously, it was necessary to image, then wipe and reload a disk to change from MBR format to GPT.
There are many benefits to converting the partition style of a disk to GPT, including the use of larger disk partitions, added data reliability, and faster boot and shutdown speeds. The GPT format also enables you to use the Unified Extensible Firmware Interface (UEFI) which replaces the Basic Input/Output System (BIOS) firmware interface. Security features of supported versions of Windows that require UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
For more information, see [MBR2GPT.EXE](mbr-to-gpt.md).
### Microsoft Deployment Toolkit (MDT)
MDT version 8456 supports Windows 10, version 2004 and earlier operating systems, including Windows Server 2019.
For the latest information about MDT, see the [MDT release notes](/mem/configmgr/mdt/release-notes).
> [!IMPORTANT]
>
> MDT doesn't support versions of Windows after Windows 10 and Windows Server 2019.
### Windows Assessment and Deployment Kit (ADK)
IT Pros can use the tools in the Windows Assessment and Deployment Kit (Windows ADK) to deploy Windows.
Download the Windows ADK and Windows PE add-on for Windows 11 [here](/windows-hardware/get-started/adk-install).
For information about what's new in the ADK, see [What's new in the Windows ADK](/windows-hardware/get-started/what-s-new-in-kits-and-tools).
Also see [Windows ADK for Windows scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
## Testing and validation guidance
### Windows 10 deployment proof of concept (PoC)
The Windows 10 PoC guide enables you to test Windows 10 deployment in a virtual environment and become familiar with deployment tools such as MDT and Configuration Manager. The PoC guide provides step-by-step instructions for installing and using Hyper-V to create a virtual lab environment. The guide makes extensive use of Windows PowerShell to streamline each phase of the installation and setup.
For more information, see the following guides:
- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md).
- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md).
- [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md).
## Troubleshooting guidance
[Resolve Windows upgrade errors](upgrade/resolve-windows-upgrade-errors.md) was published in October of 2016 and continues to be updated with new fixes. The article provides a detailed explanation of the Windows upgrade process and instructions on how to locate, interpret, and resolve specific errors that can be encountered during the upgrade process.
## Related articles
- [Overview of Windows as a service](update/waas-overview.md).
- [Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md).
- [Windows 10 release information](/windows/windows-10/release-information).
- [Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications).
- [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md).
- [Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md).

1811
windows/security/security-foundations/certification/fips-140-validation.md
View File

File diff suppressed because it is too large Load Diff

36
windows/security/security-foundations/certification/toc.yml
View File

@ -1,5 +1,35 @@
items:
- name: FIPS 140-2 Validation
- name: FIPS 140 validation
href: fips-140-validation.md
- name: Common Criteria Certifications
href: windows-platform-common-criteria.md
- name: Completed FIPS validations
items:
- name: Windows 11
href: validations/fips-140-windows11.md
- name: Windows 10
href: validations/fips-140-windows10.md
- name: Previous Windows releases
href: validations/fips-140-windows-previous.md
- name: Windows Server 2019
href: validations/fips-140-windows-server-2019.md
- name: Windows Server 2016
href: validations/fips-140-windows-server-2016.md
- name: Windows Server semi-annual releases
href: validations/fips-140-windows-server-semi-annual.md
- name: Previous Windows Server releases
href: validations/fips-140-windows-server-previous.md
- name: Common Criteria certification
href: windows-platform-common-criteria.md
- name: Completed CC certifications
items:
- name: Windows 11
href: validations/cc-windows11.md
- name: Windows 10
href: validations/cc-windows10.md
- name: Previous Windows releases
href: validations/cc-windows-previous.md
- name: Windows Server 2022, 2019, 2016
href: validations/cc-windows-server-2022-2019-2016.md
- name: Windows Server semi-annual releases
href: validations/cc-windows-server-semi-annual.md
- name: Previous Windows Server releases
href: validations/cc-windows-server-previous.md

87
windows/security/security-foundations/certification/validations/cc-windows-previous.md Normal file
View File

@ -0,0 +1,87 @@
---
title: Common Criteria certifications for previous Windows releases
description: Learn about the completed Common Criteria certifications for previous Windows releases.
ms.date: 2/1/2024
ms.topic: reference
ms.author: v-rodurff
author: msrobertd
ms.reviewer: paoloma
ms.collection: tier3
---
# Common Criteria certifications for previous Windows releases
The following tables list the completed Common Criteria certifications for Windows releases before Windows 10 and provide links to certification documents, organized by major release of the operating system. The *Security Target* describes the product editions in scope, the security functionality in the product, and the assurance measures from the Protection Profile used as part of the evaluation. The *Administrative Guide* provides guidance on configuring the product to match the evaluated configuration. The *Certification Report* or *Validation Report* documents the results of the evaluation.
## Windows 8.1
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Validated editions: Pro (on Microsoft Surface 3); Windows Phone 8.1 (GDR2 on Microsoft Lumia 635 and 830). |August 27, 2015 |Certified against the Protection Profile for Mobile Device Fundamentals |[Security Target][security-target-august-2015]; [Administrative Guide][admin-guide-august-2015]; [Certification Report][certification-report-august-2015] |
|Validated editions: Pro (on Microsoft Surface Pro 3). |April 21, 2015|Certified against the Protection Profile for Mobile Device Fundamentals |[Security Target][security-target-april-2015]; [Administrative Guide][admin-guide-april-2015]; [Certification Report][certification-report-april-2015] |
|Validated editions: Pro (on Microsoft Surface Pro 2 and Dell Venue 8 Pro); Enterprise (on Lenovo X1 Carbon and HP Pro x2 410 G1); Windows Phone 8.1 (on Microsoft Lumia 520). |March 16, 2015 |Certified against the Protection Profile for Mobile Device Fundamentals |[Security Target][security-target-march-2015]; [Administrative Guide][admin-guide-march-2015]; [Certification Report][certification-report-march-2015] |
## Windows 8
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Validated editions: Pro, Enterprise. |January 9, 2015 |(OS certification.) Certified against the Protection Profile for General Purpose Operating Systems. |[Security Target][security-target-january-2015-pro]; [Administrative Guide][admin-guide-january-2015-pro]; [Certification Report][certification-report-january-2015-pro] |
|Validated editions: Windows 8, RT. |January 9, 2015 |(OS certification.) Certified against the Protection Profile for General Purpose Operating Systems. |[Security Target][security-target-january-2015-rt]; [Administrative Guide][admin-guide-january-2015-rt]; [Certification Report][certification-report-january-2015-rt] |
|Validated editions: Pro, Enterprise. |April 7, 2014 |(Disk encryption certification.) Certified against the Protection Profile for Full Disk Encryption. |[Security Target][security-target-april-2014]; [Administrative Guide][admin-guide-april-2014]; [Certification Report][certification-report-april-2014] |
|Validated editions: Windows 8, Pro, Enterprise, RT. |January 31, 2014 |(VPN certification.) Certified against the Protection Profile for IPsec Virtual Private Network Clients. |[Security Target][security-target-january-2014]; [Administrative Guide][admin-guide-january-2014]; [Certification Report][certification-report-january-2014] |
## Windows 7
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Validated editions: Enterprise, Ultimate. |March 24, 2011 |Certified against the Protection Profile for General Purpose Operating Systems. |[Security Target][security-target-march-2011]; [Administrative Guide][admin-guide-march-2011]; [Certification Report][certification-report-march-2011] |
## Windows Vista
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Validated edition: Enterprise. |August 15, 2009 |EAL 4. Controlled Access Protection Profile. CC Part 2: security functional requirements. CC Part 3: security assurance requirements. |[Security Target][security-target-august-2009]; [Administrative Guide][admin-guide-august-2009]; [Certification Report][certification-report-august-2009] |
|Validated edition: Enterprise. |September 17, 2008 |EAL 1. CC Part 2: security functional requirements. CC Part 3: security assurance requirements. |[Security Target][security-target-september-2008]; [Administrative Guide][admin-guide-september-2008]; [Certification Report][certification-report-september-2008] |
---
<!-- Links -->
<!-- Security Targets -->
[security-target-august-2015]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10635-st.pdf
[security-target-april-2015]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10632-st.pdf
[security-target-march-2015]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10592-st.pdf
[security-target-january-2015-pro]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10520-st.pdf
[security-target-january-2015-rt]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10620-st.pdf
[security-target-april-2014]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10540-st.pdf
[security-target-january-2014]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10529-st.pdf
[security-target-march-2011]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10390-st.pdf
[security-target-august-2009]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf
[security-target-september-2008]: https://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf
<!-- Administrative Guides -->
[admin-guide-august-2015]: https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx
[admin-guide-april-2015]: https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx
[admin-guide-march-2015]: https://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx
[admin-guide-january-2015-pro]: https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx
[admin-guide-january-2015-rt]: https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx
[admin-guide-april-2014]: https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf
[admin-guide-january-2014]: https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx
[admin-guide-march-2011]: https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00
[admin-guide-august-2009]: https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567
[admin-guide-september-2008]: https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567
<!-- Certification and Validation Reports -->
[certification-report-august-2015]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10635-vr.pdf
[certification-report-april-2015]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10632-vr.pdf
[certification-report-march-2015]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10592-vr.pdf
[certification-report-january-2015-pro]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10520-vr.pdf
[certification-report-january-2015-rt]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10620-vr.pdf
[certification-report-april-2014]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf
[certification-report-january-2014]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf
[certification-report-march-2011]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf
[certification-report-august-2009]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf
[certification-report-september-2008]: https://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf

80
windows/security/security-foundations/certification/validations/cc-windows-server-2022-2019-2016.md Normal file
View File

@ -0,0 +1,80 @@
---
title: Common Criteria certifications for Windows Server 2022, 2019, and 2016
description: Learn about the completed Common Criteria certifications for Windows Server 2022, 2019, and 2016.
ms.date: 2/1/2024
ms.topic: reference
ms.author: v-rodurff
author: msrobertd
ms.reviewer: paoloma
ms.collection: tier3
---
# Windows Server 2022, 2019, and 2016 Common Criteria certifications
The following tables list the completed Common Criteria certifications for Windows Server 2022, 2019, and 2016 releases and provide links to certification documents, organized by major release of the operating system. The *Security Target* describes the product editions in scope, the security functionality in the product, and the assurance measures from the Protection Profile used as part of the evaluation. The *Administrative Guide* provides guidance on configuring the product to match the evaluated configuration. The *Certification Report* or *Validation Report* documents the results of the evaluation, with the *Assurance Activity Report* providing details on the evaluator's actions.
## Windows Server 2022
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Build: 10.0.20348.587. Validated editions: Standard, Datacenter. |January 17, 2024 |Certified against the Protection Profile for General Purpose Operating Systems (4.2.1), the PP-Module for VPN Client (2.4), the PP-Module for Wireless Local Area Network Client (1.0) and the PP-Module for Bluetooth (1.0). |[Security Target][security-target-january-2024]; [Administrative Guide][admin-guide-january-2024]; [Assurance Activity Report][assurance-report-january-2024]; [Certification Report][certification-report-january-2024] |
|Build: 10.0.20348.1. Validated editions: Standard, Datacenter. |January 26, 2023 |Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients. |[Security Target][security-target-january-2023]; [Administrative Guide][admin-guide-january-2023]; [Assurance Activity Report][assurance-report-january-2023]; [Certification Report][certification-report-january-2023] |
## Windows Server 2019
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Build: 10.0.17763. Validated editions: Standard, Datacenter. |February 11, 2021 |(Hyper-V certification.) Certified against the Protection Profile for Virtualization, including the Extended Package for Server Virtualization. |[Security Target][security-target-february-2021]; [Administrative Guide][admin-guide-february-2021]; [Assurance Activity Report][assurance-report-february-2021]; [Certification Report][certification-report-february-2021] |
|Build: 10.0.17763. Validated editions: Standard, Datacenter. |September 7, 2019 |(OS certification.) Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients. |[Security Target][security-target-september-2019]; [Administrative Guide][admin-guide-september-2019]; [Assurance Activity Report][assurance-report-september-2019]; [Certification Report][certification-report-september-2019] |
## Windows Server 2016
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Validated editions: Standard, Datacenter. |November 20, 2017 |(Hyper-V certification.) Certified against the Protection Profile for Server Virtualization. |[Security Target][security-target-november-2017]; [Administrative Guide][admin-guide-november-2017]; [Assurance Activity Report][assurance-report-november-2017]; [Certification Report][certification-report-november-2017] |
|Build: 10.0.14393. Validated editions: Standard, Datacenter. |February 6, 2017 |(OS certification.) Certified against the Protection Profile for General Purpose Operating Systems. |[Security Target][security-target-february-2017]; [Administrative Guide][admin-guide-february-2017]; [Assurance Activity Report][assurance-report-february-2017]; [Certification Report][certification-report-february-2017] |
|Validated editions: Standard, Datacenter. |December 29, 2016 |(VPN certification.) Certified against the Protection Profile for IPsec Virtual Private Network Clients. |[Security Target][security-target-december-2016]; [Administrative Guide][admin-guide-december-2016]; [Assurance Activity Report][assurance-report-december-2016]; [Certification Report][certification-report-december-2016] |
---
<!-- Links -->
<!-- Security Targets -->
[security-target-january-2024]: https://download.microsoft.com/download/2/6/c/26c2c205-db9f-474b-9ac7-bd8bf6ae463c/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Security%20Target%20(22H2).pdf
[security-target-january-2023]: https://download.microsoft.com/download/c/5/9/c59832ff-414b-4f15-8273-d0c349a0b154/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Security%20Target%20(21H2%20et%20al).pdf
[security-target-february-2021]: https://download.microsoft.com/download/5/f/6/5f6efbb4-88a0-4161-953d-de07450b7107/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Security%20Target.pdf
[security-target-september-2019]: https://download.microsoft.com/download/3/f/e/3fe6938d-2c2d-4ef1-85d5-1d42dc68ea89/Windows%2010%20version%201809%20GP%20OS%20Security%20Target.pdf
[security-target-november-2017]: https://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf
[security-target-february-2017]: https://download.microsoft.com/download/f/8/c/f8c1c2a4-719c-48ae-942f-9fd3ce5b238f/windows%2010%20au%20and%20server%202016%20gp%20os%20security%20target%20-%20public%20(december%202%202016)%20(clean).docx
[security-target-december-2016]: https://download.microsoft.com/download/b/f/5/bf59e430-e57b-462d-8dca-8ac3c93cfcff/windows%2010%20anniversary%20update%20ipsec%20vpn%20client%20security%20target%20-%20public%20(december%2029%202016)%20(clean).docx
<!-- Administrative Guides -->
[admin-guide-january-2023]: https://download.microsoft.com/download/9/1/7/9178ce6a-8117-42e7-be0d-186fc4a89ca6/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Administrative%20Guide%20(21H2%20et%20al).pdf
[admin-guide-january-2024]: https://download.microsoft.com/download/c/8/3/c83090c7-d299-4d26-a1c3-fb2bf2d77a7b/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Administrative%20Guide%20(22H2).pdf
[admin-guide-february-2021]: https://download.microsoft.com/download/7/5/0/750db292-f3d3-48c9-9557-aa64237a0e22/Virtualization%201909%20Administrative%20Guide.pdf
[admin-guide-september-2019]: https://download.microsoft.com/download/f/f/1/ff186e32-35cf-47db-98b0-91ff11763d74/Windows%2010%20version%201809%20GP%20OS%20Administrative%20Guide.pdf
[admin-guide-november-2017]: https://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf
[admin-guide-february-2017]: https://download.microsoft.com/download/b/5/2/b52e9081-05c6-4895-91a3-732bfa0eb4da/windows%2010%20au%20and%20server%202016%20gp%20os%20operational%20guidance%20(final).docx
[admin-guide-december-2016]: https://download.microsoft.com/download/2/c/c/2cc8f929-233e-4a40-b673-57b449680984/windows%2010%20au%20and%20server%202016%20ipsec%20vpn%20client%20operational%20guidance%20(21%20dec%202016)%20(public).docx
<!-- Assurance Activity Reports -->
[assurance-report-january-2023]: https://download.microsoft.com/download/4/1/6/416151fe-63e7-48c0-a485-1d87148c71fe/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Assurance%20Activity%20Report%20(21H2%20et%20al).pdf
[assurance-report-january-2024]: https://download.microsoft.com/download/1/7/f/17fac352-5c93-4e4b-9866-3c0df4080164/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Public%20Assurance%20Activity%20Report%20(22H2).pdf
[assurance-report-february-2021]: https://download.microsoft.com/download/3/b/4/3b4818d8-62a1-4b8d-8cb4-9b3256564355/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Assurance%20Activity%20Report.pdf
[assurance-report-september-2019]: https://download.microsoft.com/download/a/6/6/a66bfcf1-f6ef-4991-ab06-5b1c01f91983/Windows%2010%201809%20GP%20OS%20Assurance%20Activity%20Report.pdf
[assurance-report-november-2017]: https://download.microsoft.com/download/3/f/c/3fcc76e1-d471-4b44-9a19-29e69b6ab899/Windows%2010%20Hyper-V,%20Server%202016,%20Server%202012%20R2%20Virtualization%20Assurance%20Activity%20Report.pdf
[assurance-report-february-2017]: https://download.microsoft.com/download/a/5/f/a5f08a43-75f9-4433-bd77-aeb14276e587/Windows%2010%201607%20GP%20OS%20Assurance%20Activity%20Report.pdf
[assurance-report-december-2016]: https://download.microsoft.com/download/b/8/d/b8ddc36a-408a-4d64-a31c-d41c9c1e9d9e/Windows%2010%201607,%20Windows%20Server%202016%20IPsec%20VPN%20Client%20Assurance%20Activity%20Report.pdf
<!-- Certification and Validation Reports -->
[certification-report-january-2023]: https://download.microsoft.com/download/e/3/7/e374af1a-3c5d-42ee-8e19-df47d2c0e3d6/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Validation%20Report%20(21H2%20et%20al).pdf
[certification-report-january-2024]: https://download.microsoft.com/download/6/9/1/69101f35-1373-4262-8c5b-75e08bc2e365/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Validation%20Report%20(22H2).pdf
[certification-report-february-2021]: https://download.microsoft.com/download/4/7/6/476ca991-631d-4943-aa89-b0cd4f448d14/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Validation%20Report.pdf
[certification-report-september-2019]: https://download.microsoft.com/download/9/4/0/940ac551-7757-486d-9da1-7aa0300ebac0/Windows%2010%20version%201809%20GP%20OS%20Certification%20Report%20-%202018-61-INF-2795.pdf
[certification-report-november-2017]: https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf
[certification-report-february-2017]: https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf
[certification-report-december-2016]: https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf

108
windows/security/security-foundations/certification/validations/cc-windows-server-previous.md Normal file
View File

@ -0,0 +1,108 @@
---
title: Common Criteria certifications for previous Windows Server releases
description: Learn about the completed Common Criteria certifications for previous Windows Server releases.
ms.date: 2/1/2024
ms.topic: reference
ms.author: v-rodurff
author: msrobertd
ms.reviewer: paoloma
ms.collection: tier3
---
# Common Criteria certifications for previous Windows Server releases
The following tables list the completed Common Criteria certifications for Windows Server releases before Windows Server 2016 and provide links to certification documents, organized by major release of the operating system. The *Security Target* describes the product editions in scope, the security functionality in the product, and the assurance measures from the Protection Profile used as part of the evaluation. The *Administrative Guide* provides guidance on configuring the product to match the evaluated configuration. The *Certification Report* or *Validation Report* documents the results of the evaluation, with the *Assurance Activity Report* (when available) providing details on the evaluator's actions.
## Windows Server 2012 R2
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Validated editions: Standard, Datacenter. |November 20, 2017 |(Hyper-V certification.) Certified against the Protection Profile for Server Virtualization. |[Security Target][security-target-november-2017]; [Administrative Guide][admin-guide-november-2017]; [Assurance Activity Report][assurance-report-november-2017]; [Certification Report][certification-report-november-2017] |
|Build: 6.3.9600. Validated editions: Standard, Datacenter. |April 6, 2016 |(OS certification.) Certified against the Protection Profile for General Purpose Operating Systems. |[Security Target][security-target-april-2016]; [Administrative Guide][admin-guide-april-2016]; [Assurance Activity Report][assurance-report-april-2016]; [Certification Report][certification-report-april-2016] |
## Windows Server 2012
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Validated editions: Standard, Datacenter. |January 9, 2015 |(OS certification.) Certified against the Protection Profile for General Purpose Operating Systems. |[Security Target][security-target-january-2015-pro]; [Administrative Guide][admin-guide-january-2015-pro]; [Certification Report][certification-report-january-2015-pro] |
|Validated editions: Standard, Datacenter. |April 7, 2014 |(Disk encryption certification.) Certified against the Protection Profile for Full Disk Encryption. |[Security Target][security-target-april-2014]; [Administrative Guide][admin-guide-april-2014]; [Certification Report][certification-report-april-2014] |
|Validated editions: Standard, Datacenter. |January 31, 2014 |(VPN certification.) Certified against the Protection Profile for IPsec Virtual Private Network Clients. |[Security Target][security-target-january-2014]; [Administrative Guide][admin-guide-january-2014]; [Certification Report][certification-report-january-2014] |
## Windows Server 2008 R2
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Validated editions: Standard, Enterprise, Datacenter, Itanium. |March 24, 2011 |(OS certification.) Certified against the Protection Profile for General Purpose Operating Systems. |[Security Target][security-target-march-2011]; [Administrative Guide][admin-guide-march-2011]; [Certification Report][certification-report-march-2011] |
|Server Core 2008 R2: Hyper-V Server Role|July 24, 2009 |(Hyper-V certification.) Common Criteria for Information Technology Security Evaluation Version 3.1 Revision 3. It is CC Part 2 extended and Part 3 conformant, with a claimed Evaluation Assurance Level of EAL4, augmented by ALC_FLR.3. |[Security Target][security-target-july-2009]; [Administrative Guide][admin-guide-july-2009]; [Certification Report][certification-report-july-2009] |
## Windows Server 2008
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Validated edition: Standard, Enterprise, Datacenter. |August 15, 2009 |Controlled Access Protection Profile. CC Part 2: security functional requirements. CC Part 3: security assurance requirements, at EAL 4. |[Security Target][security-target-august-2009]; [Administrative Guide][admin-guide-august-2009]; [Certification Report][certification-report-august-2009] |
|Microsoft Windows Server Core 2008: Hyper-V Server Role. |July 24, 2009 |CC Part 2: security functional requirements. CC Part 3: security assurance requirements, at EAL 4. |[Security Target][security-target-july-2009-hyperv]; [Administrative Guide][admin-guide-july-2009-hyperv]; [Certification Report][certification-report-july-2009-hyperv] |
|Validated edition: Standard, Enterprise, Datacenter. |September 17, 2008 |CC Part 2: security functional requirements. CC Part 3: security assurance requirements, at EAL 1. |[Security Target][security-target-september-2008]; [Administrative Guide][admin-guide-september-2008]; [Certification Report][certification-report-september-2008] |
## Windows Server 2003 Certificate Server
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Microsoft Certificate Server, as part of Windows Server 2003 SP1, Enterprise Edition |April 1, 2007 |CC Part 2: security functional requirements. CC Part 3: security assurance requirements at EAL 4, augmented with ALC_FLR.3 and AVA_VLA.4. |[Security Target][security-target-april-2007]; [Certification Report][certification-report-april-2007] |
## Windows Rights Management Services
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Microsoft Windows Rights Management Services 1.0 with SP2 |August 8, 2007 |CC Part 2: security functional requirements. CC Part 3: security assurance requirements at EAL 4, augmented with ALC_FLR.3. |[Security Target][security-target-august-2007]; [Certification Report][certification-report-august-2007] |
---
<!-- Links -->
<!-- Security Targets -->
[security-target-april-2016]: https://www.commoncriteriaportal.org/files/epfiles/st_windows10.pdf
[security-target-november-2017]: https://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf
[security-target-january-2015-pro]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10520-st.pdf
[security-target-april-2014]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10540-st.pdf
[security-target-january-2014]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10529-st.pdf
[security-target-march-2011]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10390-st.pdf
[security-target-july-2009]: https://www.microsoft.com/download/en/details.aspx?id=29305
[security-target-july-2009-hyperv]: https://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf
[security-target-august-2009]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf
[security-target-september-2008]: https://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf
[security-target-august-2007]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf
[security-target-april-2007]: https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf
<!-- Administrative Guides -->
[admin-guide-april-2016]: https://download.microsoft.com/download/0/f/d/0fd33c9a-98ac-499e-882f-274f80f3d4f0/microsoft%20windows%2010%20and%20server%202012%20r2%20gp%20os%20guidance.pdf
[admin-guide-november-2017]: https://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf
[admin-guide-january-2015-pro]: https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx
[admin-guide-april-2014]: https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf
[admin-guide-january-2014]: https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx
[admin-guide-march-2011]: https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00
[admin-guide-july-2009]: https://www.microsoft.com/download/en/details.aspx?id=29308
[admin-guide-july-2009-hyperv]: https://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08
[admin-guide-august-2009]: https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567
[admin-guide-september-2008]: https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567
<!-- Assurance Activity Reports -->
[assurance-report-april-2016]: https://download.microsoft.com/download/7/e/5/7e5575c9-10f9-4f3d-9871-bd7cf7422e3b/Windows%2010%20(1507),%20Windows%20Server%202012%20R2%20GPOS%20Assurance%20Activity%20Report.pdf
[assurance-report-november-2017]: https://download.microsoft.com/download/3/f/c/3fcc76e1-d471-4b44-9a19-29e69b6ab899/Windows%2010%20Hyper-V,%20Server%202016,%20Server%202012%20R2%20Virtualization%20Assurance%20Activity%20Report.pdf
<!-- Certification and Validation Reports -->
[certification-report-april-2016]: https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf
[certification-report-november-2017]: https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf
[certification-report-january-2015-pro]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10520-vr.pdf
[certification-report-april-2014]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf
[certification-report-january-2014]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf
[certification-report-march-2011]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf
[certification-report-july-2009]: https://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf
[certification-report-july-2009-hyperv]: http://www.commoncriteriaportal.org:80/files/epfiles/0570a_pdf.pdf
[certification-report-august-2009]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf
[certification-report-september-2008]: https://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf
[certification-report-august-2007]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf
[certification-report-april-2007]: https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf

106
windows/security/security-foundations/certification/validations/cc-windows-server-semi-annual.md Normal file
View File

@ -0,0 +1,106 @@
---
title: Common Criteria certifications for Windows Server semi-annual releases
description: Learn about the completed Common Criteria certifications for Windows Server semi-annual releases.
ms.date: 2/1/2024
ms.topic: reference
ms.author: v-rodurff
author: msrobertd
ms.reviewer: paoloma
ms.collection: tier3
---
# Windows Server semi-annual Common Criteria certifications
The following tables list the completed Common Criteria certifications for Windows Server semi-annual releases and provide links to certification documents, organized by major release of the operating system. The *Security Target* describes the product editions in scope, the security functionality in the product, and the assurance measures from the Protection Profile used as part of the evaluation. The *Administrative Guide* provides guidance on configuring the product to match the evaluated configuration. The *Certification Report* or *Validation Report* documents the results of the evaluation, with the *Assurance Activity Report* providing details on the evaluator's actions.
## Windows Server, version 20H2 (October 2020 Update)
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Build: 10.0.19042.1052. Validated editions: Standard, Datacenter. |January 26, 2023 |Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients. |[Security Target][security-target-january-2023]; [Administrative Guide][admin-guide-january-2023]; [Assurance Activity Report][assurance-report-january-2023]; [Certification Report][certification-report-january-2023] |
## Windows Server, version 2004 (May 2020 Update)
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Build: 10.0.19041. Validated editions: Standard, Datacenter. |December 31, 2021 |Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients. |[Security Target][security-target-december-2021]; [Administrative Guide][admin-guide-december-2021]; [Assurance Activity Report][assurance-report-december-2021]; [Certification Report][certification-report-december-2021] |
## Windows Server, version 1909 (November 2019 Update)
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Build: 10.0.18363. Validated editions: Standard, Datacenter. |February 11, 2021 |(Hyper-V certification.) Certified against the Protection Profile for Virtualization, including the Extended Package for Server Virtualization. |[Security Target][security-target-february-2021]; [Administrative Guide][admin-guide-february-2021]; [Assurance Activity Report][assurance-report-february-2021]; [Certification Report][certification-report-february-2021] |
|Build: 10.0.18363. Validated editions: Standard, Datacenter. |June 5, 2020 |(OS certification.) Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients. |[Security Target][security-target-june-2020]; [Administrative Guide][admin-guide-june-2020]; [Assurance Activity Report][assurance-report-june-2020]; [Certification Report][certification-report-june-2020] |
## Windows Server, version 1903 (May 2019 Update)
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Build: 10.0.18362. Validated editions: Standard, Datacenter. |October 26, 2019 |Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients. |[Security Target][security-target-october-2019]; [Administrative Guide][admin-guide-october-2019]; [Assurance Activity Report][assurance-report-october-2019]; [Certification Report][certification-report-october-2019] |
## Windows Server, version 1809 (October 2018 Update)
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Build: 10.0.17763. Validated editions: Standard, Datacenter. |February 11, 2021 |(Hyper-V certification.) Certified against the Protection Profile for Virtualization, including the Extended Package for Server Virtualization. |[Security Target][security-target-february-2021]; [Administrative Guide][admin-guide-february-2021]; [Assurance Activity Report][assurance-report-february-2021]; [Certification Report][certification-report-february-2021] |
|Build: 10.0.17763. Validated editions: Standard, Datacenter. |September 7, 2019 |(OS certification.) Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients. |[Security Target][security-target-september-2019]; [Administrative Guide][admin-guide-september-2019]; [Assurance Activity Report][assurance-report-september-2019]; [Certification Report][certification-report-september-2019] |
## Windows Server, version 1803 (April 2018 Update)
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Build: 10.0.17134. Validated editions: Standard Core, Datacenter Core. |February 6, 2019 |Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients. |[Security Target][security-target-february-2019]; [Administrative Guide][admin-guide-february-2019]; [Assurance Activity Report][assurance-report-february-2019]; [Certification Report][certification-report-february-2019] |
## Windows Server, version 1709 (Fall Creators Update)
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Build: 10.0.16299. Validated editions: Standard Core, Datacenter Core. |April 20, 2018 |Certified against the Protection Profile for General Purpose Operating Systems. |[Security Target][security-target-april-2018]; [Administrative Guide][admin-guide-april-2018]; [Assurance Activity Report][assurance-report-april-2018]; [Certification Report][certification-report-april-2018] |
---
<!-- Links -->
<!-- Security Targets -->
[security-target-january-2023]: https://download.microsoft.com/download/c/5/9/c59832ff-414b-4f15-8273-d0c349a0b154/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Security%20Target%20(21H2%20et%20al).pdf
[security-target-december-2021]: https://download.microsoft.com/download/a/5/6/a5650848-e86a-4554-bb13-1ad6ff2d45d2/Windows%2010%202004%20GP%20OS%20Security%20Target.pdf
[security-target-february-2021]: https://download.microsoft.com/download/5/f/6/5f6efbb4-88a0-4161-953d-de07450b7107/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Security%20Target.pdf
[security-target-june-2020]: https://download.microsoft.com/download/b/3/7/b37981cf-040a-4b02-a93c-a3d3a93986bf/Windows%2010%201909%20GP%20OS%20Security%20Target.pdf
[security-target-october-2019]: https://download.microsoft.com/download/c/6/9/c6903621-901e-4603-b9cb-fbfe5d6aa691/Windows%2010%201903%20GP%20OS%20Security%20Target.pdf
[security-target-september-2019]: https://download.microsoft.com/download/3/f/e/3fe6938d-2c2d-4ef1-85d5-1d42dc68ea89/Windows%2010%20version%201809%20GP%20OS%20Security%20Target.pdf
[security-target-february-2019]: https://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf
[security-target-april-2018]: https://download.microsoft.com/download/B/6/A/B6A5EC2C-6351-4FB9-8FF1-643D4BD5BE6E/Windows%2010%201709%20GP%20OS%20Security%20Target.pdf
<!-- Administrative Guides -->
[admin-guide-january-2023]: https://download.microsoft.com/download/9/1/7/9178ce6a-8117-42e7-be0d-186fc4a89ca6/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Administrative%20Guide%20(21H2%20et%20al).pdf
[admin-guide-december-2021]: https://download.microsoft.com/download/4/a/6/4a66a459-3c73-4c34-84bb-92cb20301206/Windows%2010%202004%20GP%20OS%20Administrative%20Guide.pdf
[admin-guide-february-2021]: https://download.microsoft.com/download/7/5/0/750db292-f3d3-48c9-9557-aa64237a0e22/Virtualization%201909%20Administrative%20Guide.pdf
[admin-guide-june-2020]: https://download.microsoft.com/download/7/7/3/77303254-05fb-4009-8a39-bf5fe7484a41/Windows%2010%201909%20GP%20OS%20Administrative%20Guide.pdf
[admin-guide-october-2019]: https://download.microsoft.com/download/0/b/b/0bb1c6b7-499a-458e-a5f8-e9cf972dfa8d/Windows%2010%201903%20GP%20OS%20Administrative%20Guide.pdf
[admin-guide-september-2019]: https://download.microsoft.com/download/f/f/1/ff186e32-35cf-47db-98b0-91ff11763d74/Windows%2010%20version%201809%20GP%20OS%20Administrative%20Guide.pdf
[admin-guide-february-2019]: https://download.microsoft.com/download/6/C/1/6C13FBFF-9CB0-455F-A1C8-3E3CB0ACBD7B/Windows%2010%201803%20GP%20OS%20Administrative%20Guide.pdf
[admin-guide-april-2018]: https://download.microsoft.com/download/5/D/2/5D26F473-0FCE-4AC4-9065-6AEC0FE5B693/Windows%2010%201709%20GP%20OS%20Administrative%20Guide.pdf
<!-- Assurance Activity Reports -->
[assurance-report-january-2023]: https://download.microsoft.com/download/4/1/6/416151fe-63e7-48c0-a485-1d87148c71fe/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Assurance%20Activity%20Report%20(21H2%20et%20al).pdf
[assurance-report-december-2021]: https://download.microsoft.com/download/3/2/4/324562b6-0917-4708-8f9d-8d2d12859839/Windows%2010%202004%20GP%20OS%20Assurance%20Activity%20Report-Public%20.pdf
[assurance-report-february-2021]: https://download.microsoft.com/download/3/b/4/3b4818d8-62a1-4b8d-8cb4-9b3256564355/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Assurance%20Activity%20Report.pdf
[assurance-report-june-2020]: https://download.microsoft.com/download/0/0/d/00d26b48-a051-4e9a-8036-850d825f8ef9/Windows%2010%201909%20GP%20OS%20Assurance%20Activity%20Report.pdf
[assurance-report-october-2019]: https://download.microsoft.com/download/2/a/1/2a103b68-cd12-4476-8945-873746b5f432/Windows%2010%201903%20GP%20OS%20Assurance%20Activity%20Report.pdf
[assurance-report-september-2019]: https://download.microsoft.com/download/a/6/6/a66bfcf1-f6ef-4991-ab06-5b1c01f91983/Windows%2010%201809%20GP%20OS%20Assurance%20Activity%20Report.pdf
[assurance-report-february-2019]: https://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf
[assurance-report-april-2018]: https://download.microsoft.com/download/e/7/6/e7644e3c-1e59-4754-b071-aec491c71849/Windows%2010%201709%20GP%20OS%20Assurance%20Activity%20Report.pdf
<!-- Certification and Validation Reports -->
[certification-report-january-2023]: https://download.microsoft.com/download/e/3/7/e374af1a-3c5d-42ee-8e19-df47d2c0e3d6/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Validation%20Report%20(21H2%20et%20al).pdf
[certification-report-december-2021]: https://download.microsoft.com/download/1/c/b/1cb65e32-f87d-41dd-bc29-88dc943fad9d/Windows%2010%202004%20GP%20OS%20Validation%20Reports.pdf
[certification-report-february-2021]: https://download.microsoft.com/download/4/7/6/476ca991-631d-4943-aa89-b0cd4f448d14/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Validation%20Report.pdf
[certification-report-june-2020]: https://download.microsoft.com/download/9/f/3/9f350b73-1790-4dcb-97f7-a0e65a00b55f/Windows%2010%201909%20GP%20OS%20Certification%20Report.pdf
[certification-report-october-2019]: https://download.microsoft.com/download/2/1/9/219909ad-2f2a-44cc-8fcb-126f28c74d36/Windows%2010%201903%20GP%20OS%20Certification%20Report.pdf
[certification-report-september-2019]: https://download.microsoft.com/download/9/4/0/940ac551-7757-486d-9da1-7aa0300ebac0/Windows%2010%20version%201809%20GP%20OS%20Certification%20Report%20-%202018-61-INF-2795.pdf
[certification-report-february-2019]: https://download.microsoft.com/download/b/3/d/b3da41b6-6ebc-4a26-a581-2d2ad8d8d1ac/Windows%2010%201803%20GP%20OS%20Assurance%20Activity%20Report.pdf
[certification-report-april-2018]: https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf

192
windows/security/security-foundations/certification/validations/cc-windows10.md Normal file
View File

@ -0,0 +1,192 @@
---
title: Common Criteria certifications for Windows 10
description: Learn about the completed Common Criteria certifications for Windows 10.
ms.date: 2/1/2024
ms.topic: reference
ms.author: v-rodurff
author: msrobertd
ms.reviewer: paoloma
ms.collection: tier3
---
# Windows 10 Common Criteria certifications
The following tables list the completed Windows 10 Common Criteria certifications and provide links to certification documents, organized by major release of the operating system. The *Security Target* describes the product editions in scope, the security functionality in the product, and the assurance measures from the Protection Profile used as part of the evaluation. The *Administrative Guide* provides guidance on configuring the product to match the evaluated configuration. The *Certification Report* or *Validation Report* documents the results of the evaluation, with the *Assurance Activity Report* providing details on the evaluator's actions.
## Windows 10, version 22H2 (2022 Update)
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Build: 10.0.19045.2006. Validated editions: Pro, Enterprise. |January 17, 2024 |Certified against the Protection Profile for General Purpose Operating Systems, the PP-Module for VPN Client, the PP-Module for Wireless Local Area Network Client and the PP-Module for Bluetooth. |[Security Target][security-target-january-2024]; [Administrative Guide][admin-guide-january-2024]; [Assurance Activity Report][assurance-report-january-2024]; [Certification Report][certification-report-january-2024] |
## Windows 10, version 21H2 (November 2021 Update)
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Build: 10.0.19044.1288. Validated editions: Pro, Enterprise. |January 26, 2023 |Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients. |[Security Target][security-target-january-2023]; [Administrative Guide][admin-guide-january-2023]; [Assurance Activity Report][assurance-report-january-2023]; [Certification Report][certification-report-january-2023] |
## Windows 10, version 21H1 (May 2021 Update)
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Build: 10.0.19043.1052. Validated editions: Pro, Enterprise. |January 26, 2023 |Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients. |[Security Target][security-target-january-2023]; [Administrative Guide][admin-guide-january-2023]; [Assurance Activity Report][assurance-report-january-2023]; [Certification Report][certification-report-january-2023] |
## Windows 10, version 20H2 (October 2020 Update)
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Build: 10.0.19042.1052. Validated editions: Pro, Enterprise. |January 26, 2023 |Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients. |[Security Target][security-target-january-2023]; [Administrative Guide][admin-guide-january-2023]; [Assurance Activity Report][assurance-report-january-2023]; [Certification Report][certification-report-january-2023] |
## Windows 10, version 2004 (May 2020 Update)
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Build: 10.0.19041. Validated editions: Home, Pro, Enterprise. |December 31, 2021 |Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients. |[Security Target][security-target-december-2021]; [Administrative Guide][admin-guide-december-2021]; [Assurance Activity Report][assurance-report-december-2021]; [Certification Report][certification-report-december-2021] |
## Windows 10, version 1909 (November 2019 Update)
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Build: 10.0.18363. Validated edition: Enterprise. |February 11, 2021 |(Hyper-V certification.) Certified against the Protection Profile for Virtualization, including the Extended Package for Server Virtualization. |[Security Target][security-target-february-2021]; [Administrative Guide][admin-guide-february-2021]; [Assurance Activity Report][assurance-report-february-2021]; [Certification Report][certification-report-february-2021] |
|Build: 10.0.18363. Validated editions: Home, Pro, Enterprise. |June 5, 2020 |(OS certification.) Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients. |[Security Target][security-target-june-2020]; [Administrative Guide][admin-guide-june-2020]; [Assurance Activity Report][assurance-report-june-2020]; [Certification Report][certification-report-june-2020] |
## Windows 10, version 1903 (May 2019 Update)
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Build: 10.0.18362. Validated editions: Home, Pro, Enterprise. |October 26, 2019 |Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients. |[Security Target][security-target-october-2019]; [Administrative Guide][admin-guide-october-2019]; [Assurance Activity Report][assurance-report-october-2019]; [Certification Report][certification-report-october-2019] |
## Windows 10, version 1809 (October 2018 Update)
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Build: 10.0.17763. Validated editions: Home, Pro, Enterprise. |September 7, 2019 |Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients. |[Security Target][security-target-september-2019]; [Administrative Guide][admin-guide-september-2019]; [Assurance Activity Report][assurance-report-september-2019]; [Certification Report][certification-report-september-2019] |
## Windows 10, version 1803 (April 2018 Update)
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Build: 10.0.17134. Validated editions: Home, Pro, Enterprise. |February 6, 2019 |Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients. |[Security Target][security-target-february-2019]; [Administrative Guide][admin-guide-february-2019]; [Assurance Activity Report][assurance-report-february-2019]; [Certification Report][certification-report-february-2019] |
## Windows 10, version 1709 (Fall Creators Update)
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Build: 10.0.16299. Validated editions: Home, Pro, Enterprise, S. |April 20, 2018 |Certified against the Protection Profile for General Purpose Operating Systems. |[Security Target][security-target-april-2018]; [Administrative Guide][admin-guide-april-2018]; [Assurance Activity Report][assurance-report-april-2018]; [Certification Report][certification-report-april-2018] |
## Windows 10, version 1703 (Creators Update)
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Build: 10.0.15063. Validated editions: Home, Pro, Enterprise, S. |February 21, 2018 |Certified against the Protection Profile for General Purpose Operating Systems. |[Security Target][security-target-february-2018]; [Administrative Guide][admin-guide-february-2018]; [Assurance Activity Report][assurance-report-february-2018]; [Certification Report][certification-report-february-2018] |
## Windows 10, version 1607 (Anniversary Update)
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Build: 10.0.14393. Validated editions: Pro, Enterprise, Mobile. |April 12, 2017 |(Mobile certification.) Certified against the Protection Profile for Mobile Device Fundamentals. |[Security Target][security-target-april-2017]; [Administrative Guide][admin-guide-april-2017]; [Assurance Activity Report][assurance-report-april-2017]; [Certification Report][certification-report-april-2017] |
|Validated editions: Home, Pro, Enterprise. |February 6, 2017 |(OS certification.) Certified against the Protection Profile for General Purpose Operating Systems. |[Security Target][security-target-february-2017]; [Administrative Guide][admin-guide-february-2017]; [Assurance Activity Report][assurance-report-february-2017]; [Certification Report][certification-report-february-2017] |
|Validated editions: Home, Pro, Enterprise. |December 29, 2016 |(VPN certification.) Certified against the Protection Profile for IPsec Virtual Private Network Clients. |[Security Target][security-target-december-2016]; [Administrative Guide][admin-guide-december-2016]; [Assurance Activity Report][assurance-report-december-2016]; [Certification Report][certification-report-december-2016] |
## Windows 10, version 1511 (November 2015 Update)
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Validated editions: Pro, Enterprise. |June 23, 2016 |(Mobile certification.) Certified against the Protection Profile for Mobile Device Fundamentals. |[Security Target][security-target-june-2016]; [Administrative Guide][admin-guide-june-2016]; [Assurance Activity Report][assurance-report-june-2016]; [Certification Report][certification-report-june-2016] |
## Windows 10, version 1507 (initial version released July 2015)
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Validated edition: Enterprise. |November 20, 2017 |(Hyper-V certification.) Certified against the Protection Profile for Server Virtualization. |[Security Target][security-target-november-2017]; [Administrative Guide][admin-guide-november-2017]; [Assurance Activity Report][assurance-report-november-2017]; [Certification Report][certification-report-november-2017] |
|Validated edition: Pro, Enterprise. |November 10, 2016 |(VPN certification.) Certified against the Protection Profile for IPsec Virtual Private Network Clients. |[Security Target][security-target-november-2016]; [Administrative Guide][admin-guide-november-2016]; [Assurance Activity Report][assurance-report-november-2016]; [Certification Report][certification-report-november-2016] |
|Validated editions: Pro, Enterprise. |May 12, 2016 |(Mobile certification.) Certified against the Protection Profile for General Purpose Operating Systems. |[Security Target][security-target-may-2016]; [Administrative Guide][admin-guide-may-2016]; [Assurance Activity Report][assurance-report-may-2016]; [Certification Report][certification-report-may-2016] |
|Build: 10.0.10240. Validated editions: Home, Pro, Enterprise. |April 6, 2016 |(OS certification.) Certified against the Protection Profile for General Purpose Operating Systems. |[Security Target][security-target-april-2016]; [Administrative Guide][admin-guide-april-2016]; [Assurance Activity Report][assurance-report-april-2016]; [Certification Report][certification-report-april-2016] |
---
<!-- Links -->
<!-- Security Targets -->
[security-target-january-2024]: https://download.microsoft.com/download/2/6/c/26c2c205-db9f-474b-9ac7-bd8bf6ae463c/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Security%20Target%20(22H2).pdf
[security-target-january-2023]: https://download.microsoft.com/download/c/5/9/c59832ff-414b-4f15-8273-d0c349a0b154/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Security%20Target%20(21H2%20et%20al).pdf
[security-target-december-2021]: https://download.microsoft.com/download/a/5/6/a5650848-e86a-4554-bb13-1ad6ff2d45d2/Windows%2010%202004%20GP%20OS%20Security%20Target.pdf
[security-target-february-2021]: https://download.microsoft.com/download/5/f/6/5f6efbb4-88a0-4161-953d-de07450b7107/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Security%20Target.pdf
[security-target-june-2020]: https://download.microsoft.com/download/b/3/7/b37981cf-040a-4b02-a93c-a3d3a93986bf/Windows%2010%201909%20GP%20OS%20Security%20Target.pdf
[security-target-october-2019]: https://download.microsoft.com/download/c/6/9/c6903621-901e-4603-b9cb-fbfe5d6aa691/Windows%2010%201903%20GP%20OS%20Security%20Target.pdf
[security-target-september-2019]: https://download.microsoft.com/download/3/f/e/3fe6938d-2c2d-4ef1-85d5-1d42dc68ea89/Windows%2010%20version%201809%20GP%20OS%20Security%20Target.pdf
[security-target-february-2019]: https://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf
[security-target-april-2018]: https://download.microsoft.com/download/B/6/A/B6A5EC2C-6351-4FB9-8FF1-643D4BD5BE6E/Windows%2010%201709%20GP%20OS%20Security%20Target.pdf
[security-target-february-2018]: https://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20(january%2016,%202018)(final)(clean).pdf
[security-target-november-2017]: https://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf
[security-target-april-2017]: https://download.microsoft.com/download/1/5/e/15eee6d3-f2a8-4441-8cb1-ce8c2ab91c24/windows%2010%20anniversary%20update%20mdf%20security%20target%20-%20public%20(april%203%202017).docx
[security-target-february-2017]: https://download.microsoft.com/download/f/8/c/f8c1c2a4-719c-48ae-942f-9fd3ce5b238f/windows%2010%20au%20and%20server%202016%20gp%20os%20security%20target%20-%20public%20(december%202%202016)%20(clean).docx
[security-target-december-2016]: https://download.microsoft.com/download/b/f/5/bf59e430-e57b-462d-8dca-8ac3c93cfcff/windows%2010%20anniversary%20update%20ipsec%20vpn%20client%20security%20target%20-%20public%20(december%2029%202016)%20(clean).docx
[security-target-november-2016]: https://download.microsoft.com/download/3/7/2/372beb03-b1ed-4bb6-9b9b-b8f43afc570d/st_vid10746-st.pdf
[security-target-june-2016]: https://download.microsoft.com/download/a/c/2/ac2a6ed8-4d2f-4f48-a9bf-f059d6c9af38/windows%2010%20mdf3%20security%20target%20-%20public%20(june%2022%202016)(final).docx
[security-target-may-2016]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10677-st.pdf
[security-target-april-2016]: https://www.commoncriteriaportal.org/files/epfiles/st_windows10.pdf
<!-- Administrative Guides -->
[admin-guide-january-2023]: https://download.microsoft.com/download/9/1/7/9178ce6a-8117-42e7-be0d-186fc4a89ca6/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Administrative%20Guide%20(21H2%20et%20al).pdf
[admin-guide-january-2024]: https://download.microsoft.com/download/c/8/3/c83090c7-d299-4d26-a1c3-fb2bf2d77a7b/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Administrative%20Guide%20(22H2).pdf
[admin-guide-december-2021]: https://download.microsoft.com/download/4/a/6/4a66a459-3c73-4c34-84bb-92cb20301206/Windows%2010%202004%20GP%20OS%20Administrative%20Guide.pdf
[admin-guide-february-2021]: https://download.microsoft.com/download/7/5/0/750db292-f3d3-48c9-9557-aa64237a0e22/Virtualization%201909%20Administrative%20Guide.pdf
[admin-guide-june-2020]: https://download.microsoft.com/download/7/7/3/77303254-05fb-4009-8a39-bf5fe7484a41/Windows%2010%201909%20GP%20OS%20Administrative%20Guide.pdf
[admin-guide-october-2019]: https://download.microsoft.com/download/0/b/b/0bb1c6b7-499a-458e-a5f8-e9cf972dfa8d/Windows%2010%201903%20GP%20OS%20Administrative%20Guide.pdf
[admin-guide-september-2019]: https://download.microsoft.com/download/f/f/1/ff186e32-35cf-47db-98b0-91ff11763d74/Windows%2010%20version%201809%20GP%20OS%20Administrative%20Guide.pdf
[admin-guide-february-2019]: https://download.microsoft.com/download/6/C/1/6C13FBFF-9CB0-455F-A1C8-3E3CB0ACBD7B/Windows%2010%201803%20GP%20OS%20Administrative%20Guide.pdf
[admin-guide-april-2018]: https://download.microsoft.com/download/5/D/2/5D26F473-0FCE-4AC4-9065-6AEC0FE5B693/Windows%2010%201709%20GP%20OS%20Administrative%20Guide.pdf
[admin-guide-february-2018]: https://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20(jan%208%202017%20-%20public).pdf
[admin-guide-november-2017]: https://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf
[admin-guide-april-2017]: https://download.microsoft.com/download/4/c/1/4c1f4ea4-2d66-4232-a0f5-925b2bc763bc/windows%2010%20au%20operational%20guidance%20(16%20mar%202017)(clean).docx
[admin-guide-february-2017]: https://download.microsoft.com/download/b/5/2/b52e9081-05c6-4895-91a3-732bfa0eb4da/windows%2010%20au%20and%20server%202016%20gp%20os%20operational%20guidance%20(final).docx
[admin-guide-december-2016]: https://download.microsoft.com/download/2/c/c/2cc8f929-233e-4a40-b673-57b449680984/windows%2010%20au%20and%20server%202016%20ipsec%20vpn%20client%20operational%20guidance%20(21%20dec%202016)%20(public).docx
[admin-guide-november-2016]: https://download.microsoft.com/download/3/3/f/33fa01dd-b380-46e1-833f-fd85854b4022/st_vid10746-agd.pdf
[admin-guide-june-2016]: https://download.microsoft.com/download/3/2/c/32c6fa02-b194-478f-a0f6-0215b47d0f40/windows%2010%20mdf3%20mobile%20device%20pp%20operational%20guidance%20(may%2027,%202016)(public).docx
[admin-guide-may-2016]: https://download.microsoft.com/download/2/d/c/2dce3435-9328-48e2-9813-c2559a8d39fa/microsoft%20windows%2010%20and%20windows%2010%20mobile%20guidance.pdf
[admin-guide-april-2016]: https://download.microsoft.com/download/0/f/d/0fd33c9a-98ac-499e-882f-274f80f3d4f0/microsoft%20windows%2010%20and%20server%202012%20r2%20gp%20os%20guidance.pdf
<!-- Assurance Activity Reports -->
[assurance-report-january-2023]: https://download.microsoft.com/download/4/1/6/416151fe-63e7-48c0-a485-1d87148c71fe/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Assurance%20Activity%20Report%20(21H2%20et%20al).pdf
[assurance-report-january-2024]: https://download.microsoft.com/download/1/7/f/17fac352-5c93-4e4b-9866-3c0df4080164/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Public%20Assurance%20Activity%20Report%20(22H2).pdf
[assurance-report-december-2021]: https://download.microsoft.com/download/3/2/4/324562b6-0917-4708-8f9d-8d2d12859839/Windows%2010%202004%20GP%20OS%20Assurance%20Activity%20Report-Public%20.pdf
[assurance-report-february-2021]: https://download.microsoft.com/download/3/b/4/3b4818d8-62a1-4b8d-8cb4-9b3256564355/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Assurance%20Activity%20Report.pdf
[assurance-report-june-2020]: https://download.microsoft.com/download/0/0/d/00d26b48-a051-4e9a-8036-850d825f8ef9/Windows%2010%201909%20GP%20OS%20Assurance%20Activity%20Report.pdf
[assurance-report-october-2019]: https://download.microsoft.com/download/2/a/1/2a103b68-cd12-4476-8945-873746b5f432/Windows%2010%201903%20GP%20OS%20Assurance%20Activity%20Report.pdf
[assurance-report-september-2019]: https://download.microsoft.com/download/a/6/6/a66bfcf1-f6ef-4991-ab06-5b1c01f91983/Windows%2010%201809%20GP%20OS%20Assurance%20Activity%20Report.pdf
[assurance-report-february-2019]: https://download.microsoft.com/download/b/3/d/b3da41b6-6ebc-4a26-a581-2d2ad8d8d1ac/Windows%2010%201803%20GP%20OS%20Assurance%20Activity%20Report.pdf
[assurance-report-april-2018]: https://download.microsoft.com/download/e/7/6/e7644e3c-1e59-4754-b071-aec491c71849/Windows%2010%201709%20GP%20OS%20Assurance%20Activity%20Report.pdf
[assurance-report-february-2018]: https://download.microsoft.com/download/a/e/9/ae9a2235-e1cd-4869-964d-c8260f604367/Windows%2010%201703%20GP%20OS%20Assurance%20Activity%20Report.pdf
[assurance-report-november-2017]: https://download.microsoft.com/download/3/f/c/3fcc76e1-d471-4b44-9a19-29e69b6ab899/Windows%2010%20Hyper-V,%20Server%202016,%20Server%202012%20R2%20Virtualization%20Assurance%20Activity%20Report.pdf
[assurance-report-april-2017]: https://download.microsoft.com/download/9/3/9/939b44a8-5755-4d4c-b020-d5e8b89690ab/Windows%2010%20and%20Windows%2010%20Mobile%201607%20MDF%20Assurance%20Activity%20Report.pdf
[assurance-report-february-2017]: https://download.microsoft.com/download/a/5/f/a5f08a43-75f9-4433-bd77-aeb14276e587/Windows%2010%201607%20GP%20OS%20Assurance%20Activity%20Report.pdf
[assurance-report-december-2016]: https://download.microsoft.com/download/b/8/d/b8ddc36a-408a-4d64-a31c-d41c9c1e9d9e/Windows%2010%201607,%20Windows%20Server%202016%20IPsec%20VPN%20Client%20Assurance%20Activity%20Report.pdf
[assurance-report-november-2016]: https://download.microsoft.com/download/9/3/6/93630ffb-5c06-4fea-af36-164da3e359c9/Windows%2010%20IPsec%20VPN%20Client%20Assurance%20Activity%20Report.pdf
[assurance-report-june-2016]: https://download.microsoft.com/download/1/f/1/1f12ed80-6d73-4a16-806f-d5116814bd7c/Windows%2010%20November%202015%20Update%20(1511)%20MDF%20Assurance%20Activity%20Report.pdf
[assurance-report-may-2016]: https://download.microsoft.com/download/a/1/3/a1365491-0a53-42cd-bd73-ca4067c43d86/Windows%2010,%20Windows%2010%20Mobile%20(1507)%20MDF%20Assurance%20Activity%20Report.pdf
[assurance-report-april-2016]: https://download.microsoft.com/download/7/e/5/7e5575c9-10f9-4f3d-9871-bd7cf7422e3b/Windows%2010%20(1507),%20Windows%20Server%202012%20R2%20GPOS%20Assurance%20Activity%20Report.pdf
<!-- Certification and Validation Reports -->
[certification-report-january-2023]: https://download.microsoft.com/download/e/3/7/e374af1a-3c5d-42ee-8e19-df47d2c0e3d6/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Validation%20Report%20(21H2%20et%20al).pdf
[certification-report-january-2024]: https://download.microsoft.com/download/6/9/1/69101f35-1373-4262-8c5b-75e08bc2e365/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Validation%20Report%20(22H2).pdf
[certification-report-december-2021]: https://download.microsoft.com/download/1/c/b/1cb65e32-f87d-41dd-bc29-88dc943fad9d/Windows%2010%202004%20GP%20OS%20Validation%20Reports.pdf
[certification-report-february-2021]: https://download.microsoft.com/download/4/7/6/476ca991-631d-4943-aa89-b0cd4f448d14/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Validation%20Report.pdf
[certification-report-june-2020]: https://download.microsoft.com/download/9/f/3/9f350b73-1790-4dcb-97f7-a0e65a00b55f/Windows%2010%201909%20GP%20OS%20Certification%20Report.pdf
[certification-report-october-2019]: https://download.microsoft.com/download/2/1/9/219909ad-2f2a-44cc-8fcb-126f28c74d36/Windows%2010%201903%20GP%20OS%20Certification%20Report.pdf
[certification-report-september-2019]: https://download.microsoft.com/download/9/4/0/940ac551-7757-486d-9da1-7aa0300ebac0/Windows%2010%20version%201809%20GP%20OS%20Certification%20Report%20-%202018-61-INF-2795.pdf
[certification-report-february-2019]: https://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf
[certification-report-april-2018]: https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf
[certification-report-february-2018]: https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf
[certification-report-november-2017]: https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf
[certification-report-april-2017]: https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf
[certification-report-february-2017]: https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf
[certification-report-december-2016]: https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf
[certification-report-november-2016]: https://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf
[certification-report-june-2016]: https://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf
[certification-report-may-2016]: https://www.commoncriteriaportal.org/files/epfiles/st_vid10694-vr.pdf
[certification-report-april-2016]: https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf

50
windows/security/security-foundations/certification/validations/cc-windows11.md Normal file
View File

@ -0,0 +1,50 @@
---
title: Common Criteria certifications for Windows 11
description: Learn about the completed Common Criteria certifications for Windows 11.
ms.date: 2/1/2024
ms.topic: reference
ms.author: v-rodurff
author: msrobertd
ms.reviewer: paoloma
ms.collection: tier3
---
# Windows 11 Common Criteria certifications
The following tables list the completed Windows 11 Common Criteria certifications and provide links to certification documents, organized by major release of the operating system. The *Security Target* describes the product editions in scope, the security functionality in the product, and the assurance measures from the Protection Profile used as part of the evaluation. The *Administrative Guide* provides guidance on configuring the product to match the evaluated configuration. The *Certification Report* or *Validation Report* documents the results of the evaluation, with the *Assurance Activity Report* providing details on the evaluator's actions.
## Windows 11, version 22H2
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Build: 10.0.22621.1. Validated editions: Enterprise, Pro, Education, IoT Enterprise. |January 17, 2024 |Certified against the Protection Profile for General Purpose Operating Systems (4.2.1), the PP-Module for VPN Client (2.4), the PP-Module for Wireless Local Area Network Client (1.0) and the PP-Module for Bluetooth (1.0). |[Security Target][security-target-january-2024]; [Administrative Guide][admin-guide-january-2024]; [Assurance Activity Report][assurance-report-january-2024]; [Certification Report][certification-report-january-2024] |
## Windows 11, version 21H2
|Product details |Date |Scope |Documents |
|---------|---------|---------|---------|
|Build: 10.0.22000.1. Validated edition: Enterprise. |January 26, 2023 |Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients. |[Security Target][security-target-january-2023]; [Administrative Guide][admin-guide-january-2023]; [Assurance Activity Report][assurance-report-january-2023]; [Certification Report][certification-report-january-2023] |
---
<!-- Links -->
<!-- Security Targets -->
[security-target-january-2024]: https://download.microsoft.com/download/2/6/c/26c2c205-db9f-474b-9ac7-bd8bf6ae463c/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Security%20Target%20(22H2).pdf
[security-target-january-2023]: https://download.microsoft.com/download/c/5/9/c59832ff-414b-4f15-8273-d0c349a0b154/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Security%20Target%20(21H2%20et%20al).pdf
<!-- Administrative Guides -->
[admin-guide-january-2023]: https://download.microsoft.com/download/9/1/7/9178ce6a-8117-42e7-be0d-186fc4a89ca6/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Administrative%20Guide%20(21H2%20et%20al).pdf
[admin-guide-january-2024]: https://download.microsoft.com/download/c/8/3/c83090c7-d299-4d26-a1c3-fb2bf2d77a7b/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Administrative%20Guide%20(22H2).pdf
<!-- Assurance Activity Reports -->
[assurance-report-january-2023]: https://download.microsoft.com/download/4/1/6/416151fe-63e7-48c0-a485-1d87148c71fe/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Assurance%20Activity%20Report%20(21H2%20et%20al).pdf
[assurance-report-january-2024]: https://download.microsoft.com/download/1/7/f/17fac352-5c93-4e4b-9866-3c0df4080164/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Public%20Assurance%20Activity%20Report%20(22H2).pdf
<!-- Certification and Validation Reports -->
[certification-report-january-2023]: https://download.microsoft.com/download/e/3/7/e374af1a-3c5d-42ee-8e19-df47d2c0e3d6/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Validation%20Report%20(21H2%20et%20al).pdf
[certification-report-january-2024]: https://download.microsoft.com/download/6/9/1/69101f35-1373-4262-8c5b-75e08bc2e365/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Validation%20Report%20(22H2).pdf

50
windows/security/security-foundations/certification/validations/fips-140-other-products.md Normal file
View File

@ -0,0 +1,50 @@
---
title: FIPS 140 validated modules for other products
description: This topic lists the completed FIPS 140 cryptographic module validations for products other than Windows and Windows Server that leverage the Windows cryptographic modules.
ms.date: 2/1/2024
ms.topic: reference
ms.author: v-rodurff
author: msrobertd
ms.reviewer: paoloma
ms.collection: tier3
---
# FIPS 140 validated modules in other products
The following tables list the completed FIPS 140 validations in products other than Windows and Windows Server that leverage the Windows cryptographic modules. The linked Security Policy document for each module provides details on the module capabilities and the policies the operator must follow to use the module in its FIPS approved mode of operation. For details on the FIPS approved algorithms used by each module, including CAVP algorithm certificates, see the module's linked Security Policy document or CMVP module certificate.
## Windows Embedded Compact 7 and Windows Embedded Compact 8
|Cryptographic Module|Version (link to Security Policy)|CMVP Certificate #|
|--- |--- |--- |
|Cryptographic Primitives Library (bcrypt.dll)|[7.00.2872 and 8.00.6246][sp-2956]|[2956][certificate-2956]|
|Enhanced Cryptographic Provider|[7.00.2872 and 8.00.6246][sp-2957]|[2957][certificate-2957]|
## Windows CE 6.0 and Windows Embedded Compact 7
|Cryptographic Module|Version (link to Security Policy)|CMVP Certificate #|
|--- |--- |--- |
|Enhanced Cryptographic Provider|[6.00.1937 and 7.00.1687][sp-825]|[825][certificate-825]|
## Outlook Cryptographic Provider
|Cryptographic Module|Version (link to Security Policy)|CMVP Certificate #|
|--- |--- |--- |
|Outlook Cryptographic Provider (EXCHCSP)|[SR-1A (3821)][sp-110]|[110][certificate-110]|
---
<!-- Links -->
<!-- CMVP Certificates -->
[certificate-110]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/110
[certificate-825]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/825
[certificate-2956]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2956
[certificate-2957]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2957
<!-- Security Policies -->
[sp-110]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp110.pdf
[sp-825]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp825.pdf
[sp-2956]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2956.pdf
[sp-2957]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2957.pdf

241
windows/security/security-foundations/certification/validations/fips-140-windows-previous.md Normal file
View File

@ -0,0 +1,241 @@
---
title: FIPS 140 validated modules for previous Windows versions
description: This topic lists the completed FIPS 140 cryptographic module validations for versions of Windows prior to Windows 10.
ms.date: 2/1/2024
ms.topic: reference
ms.author: v-rodurff
author: msrobertd
ms.reviewer: paoloma
ms.collection: tier3
---
# FIPS 140 validated modules in previous Windows versions
The following tables list the completed FIPS 140 validations of cryptographic modules used in versions of Windows prior to Windows 10, organized by major release of the operating system. The linked Security Policy document for each module provides details on the module capabilities and the policies the operator must follow to use the module in its FIPS approved mode of operation. For information on using the overall operating system in its FIPS approved mode, see [Use Windows in a FIPS approved mode of operation](../fips-140-validation.md#use-windows-in-a-fips-approved-mode-of-operation). For details on the FIPS approved algorithms used by each module, including CAVP algorithm certificates, see the module's linked Security Policy document or CMVP module certificate.
## Windows 8.1
Validated Editions: RT, Pro, Enterprise, Phone, Embedded
|Cryptographic Module|Version (link to Security Policy)|CMVP Certificate #|
|--- |--- |--- |
|BitLocker Dump Filter (dumpfve.sys)|[6.3.9600 6.3.9600.17031][sp-2354]|[#2354][certificate-2354]|
|BitLocker Windows OS Loader (winload)|[6.3.9600 6.3.9600.17031][sp-2352]|[#2352][certificate-2352]|
|BitLocker Windows Resume (winresume) <br>*Applies only to Pro, Enterprise, and Embedded 8.*|[6.3.9600 6.3.9600.17031][sp-2353]|[#2353][certificate-2353]|
|Boot Manager|[6.3.9600 6.3.9600.17031][sp-2351]|[#2351][certificate-2351]|
|Code Integrity (ci.dll)|[6.3.9600 6.3.9600.17031][sp-2355]|[#2355][certificate-2355]|
|Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[6.3.9600 6.3.9600.17031][sp-2357]|[#2357][certificate-2357]|
|Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.3.9600 6.3.9600.17042][sp-2356]|[#2356][certificate-2356]|
## Windows 8
Validated Editions: RT, Home, Pro, Enterprise, Phone
|Cryptographic Module|Version (link to Security Policy)|CMVP Certificate #|
|--- |--- |--- |
|BitLocker Dump Filter (DUMPFVE.SYS)|[6.2.9200][sp-1899]|[#1899][sp-1899]|
|BitLocker Windows OS Loader (WINLOAD)|[6.2.9200][sp-1896]|[#1896][sp-1896]|
|BitLocker Windows Resume (WINRESUME) <br>*Applies only to Home and Pro*|[6.2.9200][sp-1898]|[#1898][sp-1898]|
|Boot Manager|[6.2.9200][sp-1895]|[#1895][sp-1895]|
|Code Integrity (CI.DLL)|[6.2.9200][sp-1897]|[#1897][sp-1897]|
|Enhanced Cryptographic Provider (RSAENH.DLL)|[6.2.9200][sp-1894]|[#1894][sp-1894]|
|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)|[6.2.9200][sp-1893]|[#1893][sp-1893]|
|Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)|[6.2.9200][sp-1892]|[#1892][sp-1892]|
|Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.2.9200][sp-1891]|[#1891][certificate-1891]|
## Windows 7
Validated Editions: Windows 7, Windows 7 SP1
|Cryptographic Module|Version (link to Security Policy)|CMVP Certificate #|
|--- |--- |--- |
|BitLocker Drive Encryption|[6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655, and 6.1.7601.21675][sp-1332]|[1332][certificate-1332]|
|Boot Manager|[6.1.7600.16385 and 6.1.7601.17514][sp-1319]|[1319][certificate-1319]|
|Code Integrity (CI.DLL)|[6.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950, and 6.1.7601.22108][sp-1327]|[1327][certificate-1327]|
|Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)|[6.1.7600.16385 and 6.1.7601.17514][sp-1329]|[1329][certificate-1329]|
|Enhanced Cryptographic Provider (RSAENH.DLL)|[6.1.7600.16385][sp-1330] (no change in SP1)|[1330][certificate-1330]|
|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)|[6.1.7600.16385][sp-1331] (no change in SP1)|[1331][certificate-1331]|
|Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17725, 6.1.7601.17919, 6.1.7601.21861, 6.1.7601.22076][sp-1328]|[1328][certificate-1328]|
|Winload OS Loader (winload.exe)|[6.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655, and 6.1.7601.21675][sp-1326]|[1326][certificate-1326]|
## Windows Vista SP1
Validated Edition: Ultimate Edition
|Cryptographic Module|Version (link to Security Policy)|CMVP Certificate #|
|--- |--- |--- |
|Boot Manager (bootmgr)|[6.0.6001.18000 and 6.0.6002.18005][sp-978]|[978][certificate-978]|
|Cryptographic Primitives Library (bcrypt.dll)|[6.0.6001.22202, 6.0.6002.18005, and 6.0.6002.22872][sp-1002]|[1001][certificate-1001]|
|Code Integrity (ci.dll)|[6.0.6001.18000, 6.0.6001.18023, 6.0.6001.22120, and 6.0.6002.18005][sp-980]|[980][certificate-980]|
|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[6.0.6001.18000 and 6.0.6002.18005][sp-1003]|[1003][certificate-1003]|
|Enhanced Cryptographic Provider (RSAENH)|[6.0.6001.22202 and 6.0.6002.18005][sp-1002]|[1002][certificate-1002]|
|Kernel Mode Security Support Provider Interface (ksecdd.sys)|[6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.22869][sp-1000]|[1000][certificate-1000]|
|Winload OS Loader (winload.exe)|[6.0.6001.18000, 6.0.6001.18027, 6.0.6001.18606, 6.0.6001.22125, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411 and 6.0.6002.22596][sp-979]|[979][certificate-979]|
## Windows Vista
Validated Edition: Ultimate Edition
|Cryptographic Module|Version (link to Security Policy)|CMVP Certificate #|
|--- |--- |--- |
|BitLocker Drive Encryption|[6.0.6000.16386][sp-947]|[947][certificate-947]|
|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[6.0.6000.16386][sp-894]|[894][certificate-894]|
|Enhanced Cryptographic Provider (RSAENH) | [6.0.6000.16386][sp-893] | [893][certificate-893] |
|Kernel Mode Security Support Provider Interface (ksecdd.sys)|[6.0.6000.16386, 6.0.6000.16870 and 6.0.6000.21067][sp-891]|[891][certificate-891]|
## Windows XP SP3
|Cryptographic Module|Version (link to Security Policy)|CMVP Certificate #|
|--- |--- |--- |
|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[5.1.2600.5507][sp-990]|[990][certificate-990]|
|Enhanced Cryptographic Provider (RSAENH)|[5.1.2600.5507][sp-989]|[989][certificate-989]|
|Kernel Mode Cryptographic Module (FIPS.SYS)|[5.1.2600.5512][sp-997]|[997][certificate-997]|
## Windows XP SP2
|Cryptographic Module|Version (link to Security Policy)|CMVP Certificate #|
|--- |--- |--- |
|DSS/Diffie-Hellman Enhanced Cryptographic Provider|[5.1.2600.2133][sp-240]|[240][certificate-240]|
|Microsoft Enhanced Cryptographic Provider|[5.1.2600.2161][sp-238]|[238][certificate-238]|
## Windows XP SP1
|Cryptographic Module|Version (link to Security Policy)|CMVP Certificate #|
|--- |--- |--- |
|Microsoft Enhanced Cryptographic Provider|[5.1.2600.1029][sp-238]|[238][certificate-238]|
## Windows XP
|Cryptographic Module|Version (link to Security Policy)|CMVP Certificate #|
|--- |--- |--- |
|Kernel Mode Cryptographic Module|[5.1.2600.0][sp-241]|[241][certificate-241]|
## Windows 2000 SP3
|Cryptographic Module|Version (link to Security Policy)|CMVP Certificate #|
|--- |--- |--- |
|Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider|[Base DSS: 5.0.2195.3665 (SP3), Base: 5.0.2195.3839 (SP3), DSS/DH Enh: 5.0.2195.3665 (SP3), Enh: 5.0.2195.3839 (SP3)][sp-103]|[103][certificate-103]|
|Kernel Mode Cryptographic Module (FIPS.SYS)|[5.0.2195.1569][sp-106]|[106][certificate-106]|
## Windows 2000 SP2
|Cryptographic Module|Version (link to Security Policy)|CMVP Certificate #|
|--- |--- |--- |
|Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider|[Base DSS 5.0.2195.2228 (SP2), Base 5.0.2195.2228 (SP2), DSS/DH Enh 5.0.2195.2228 (SP2), Enh 5.0.2195.2228 (SP2)][sp-103]|[103][certificate-103]|
|Kernel Mode Cryptographic Module (FIPS.SYS)|[5.0.2195.1569][sp-106]|[106][certificate-106]|
## Windows 2000 SP1
|Cryptographic Module|Version (link to Security Policy)|CMVP Certificate #|
|--- |--- |--- |
|Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider|[Base DSS 5.0.2150.1391 (SP1), Base 5.0.2150.1391 (SP1), DSS/DH Enh: 5.0.2150.1391 (SP1), Enh 5.0.2150.1391 (SP1)][sp-103]|[103][certificate-103]|
## Windows 2000
|Cryptographic Module|Version (link to Security Policy)|CMVP Certificate #|
|--- |--- |--- |
|Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider|[5.0.2150.1][sp-76]|[76][certificate-76]|
## Windows 95 and Windows 98
|Cryptographic Module|Version (link to Security Policy)|CMVP Certificate #|
|--- |--- |--- |
|Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider|[5.0.1877.6 and 5.0.1877.7][sp-75]|[75][certificate-75]|
## Windows NT 4.0
|Cryptographic Module|Version (link to Security Policy)|CMVP Certificate #|
|--- |--- |--- |
|Base Cryptographic Provider|[5.0.1877.6 and 5.0.1877.7][sp-68]|[68][certificate-68]|
---
<!-- Links -->
<!-- CMVP Certificates -->
[certificate-68]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/68
[certificate-75]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/75
[certificate-76]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/76
[certificate-103]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/103
[certificate-106]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/106
[certificate-238]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/238
[certificate-240]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/240
[certificate-241]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/241
[certificate-891]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/891
[certificate-893]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/893
[certificate-894]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/894
[certificate-947]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/947
[certificate-978]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/978
[certificate-979]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/979
[certificate-980]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/980
[certificate-989]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/989
[certificate-990]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/990
[certificate-997]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/997
[certificate-1000]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1000
[certificate-1001]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1001
[certificate-1002]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1002
[certificate-1003]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1003
[certificate-1319]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1319
[certificate-1326]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1326
[certificate-1327]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1327
[certificate-1328]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1328
[certificate-1329]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1329
[certificate-1330]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1330
[certificate-1331]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1331
[certificate-1332]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1332
[certificate-1891]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1891
[certificate-2351]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2351
[certificate-2352]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2352
[certificate-2353]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2353
[certificate-2354]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2354
[certificate-2355]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2355
[certificate-2356]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2356
[certificate-2357]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2357
<!-- Security Policies -->
[sp-68]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp68.pdf
[sp-75]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp75.pdf
[sp-76]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp76.pdf
[sp-103]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp103.pdf
[sp-106]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp106.pdf
[sp-238]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp238.pdf
[sp-240]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp240.pdf
[sp-241]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp241.pdf
[sp-891]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp891.pdf
[sp-893]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp893.pdf
[sp-894]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp894.pdf
[sp-947]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp947.pdf
[sp-978]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp978.pdf
[sp-979]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp979.pdf
[sp-980]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp980.pdf
[sp-989]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp989.pdf
[sp-990]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp990.pdf
[sp-997]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp997.pdf
[sp-1000]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1000.pdf
[sp-1002]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1002.pdf
[sp-1003]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1003.pdf
[sp-1319]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1319.pdf
[sp-1326]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1326.pdf
[sp-1327]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1327.pdf
[sp-1328]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1328.pdf
[sp-1329]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1329.pdf
[sp-1330]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1330.pdf
[sp-1331]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1331.pdf
[sp-1332]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1332.pdf
[sp-1891]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1891.pdf
[sp-1892]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1892.pdf
[sp-1893]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1893.pdf
[sp-1894]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1894.pdf
[sp-1895]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1895.pdf
[sp-1896]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1896.pdf
[sp-1897]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1897.pdf
[sp-1898]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1898.pdf
[sp-1899]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1899.pdf
[sp-2351]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2351.pdf
[sp-2352]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2352.pdf
[sp-2353]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2353.pdf
[sp-2354]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2354.pdf
[sp-2355]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2355.pdf
[sp-2356]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2356.pdf
[sp-2357]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2357.pdf

73
windows/security/security-foundations/certification/validations/fips-140-windows-server-2016.md Normal file
View File

@ -0,0 +1,73 @@
---
title: FIPS 140 validated modules for Windows Server 2016
description: This topic lists the completed FIPS 140 cryptographic module validations for Windows Server 2016.
ms.date: 2/1/2024
ms.topic: reference
ms.author: v-rodurff
author: msrobertd
ms.reviewer: paoloma
ms.collection: tier3
---
# FIPS 140 validated modules in Windows Server 2016
The following tables list the completed FIPS 140 validations of cryptographic modules used in Windows Server 2016, organized by major release of the operating system. The linked Security Policy document for each module provides details on the module capabilities and the policies the operator must follow to use the module in its FIPS approved mode of operation. For information on using the overall operating system in its FIPS approved mode, see [Use Windows in a FIPS approved mode of operation](../fips-140-validation.md#use-windows-in-a-fips-approved-mode-of-operation). For details on the FIPS approved algorithms used by each module, including CAVP algorithm certificates, see the module's linked Security Policy document or CMVP module certificate.
## Windows Server 2016
Build: 10.0.14393.1770. Validated Editions: Standard, Datacenter, Storage Server.
|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
|--- |--- |--- |
|[BitLocker Windows OS Loader][sp-3502] (winload)|[#3502][certificate-3502]|FIPS Approved: AES, RSA, and SHS; Other Allowed: NDRNG|
|[BitLocker Windows Resume][sp-3501] (winresume)|[#3501][certificate-3501]|FIPS Approved: AES, RSA, and SHS|
|[Boot Manager][sp-3487]|[#3487][certificate-3487]|FIPS Approved: AES, HMAC, PBKDF, RSA, and SHS|
|[Code Integrity][sp-3510] (ci.dll)|[#3510][certificate-3510]|FIPS Approved: AES, RSA, and SHS|
|[Secure Kernel Code Integrity][sp-3513] (skci.dll)|[#3513][certificate-3513]|FIPS Approved: RSA and SHS; Other Allowed: MD5|
Build: 10.0.14393. Validated Editions: Standard, Datacenter, Storage Server.
|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
|--- |--- |--- |
|[BitLocker Dump Filter][sp-2934] (dumpfve.sys)|[#2934][certificate-2934]|FIPS Approved: AES|
|[BitLocker Windows OS Loader][sp-2932] (winload)|[#2932][certificate-2932]|FIPS Approved: AES, RSA, and SHS; Other: NDRNG|
|[BitLocker Windows Resume][sp-2933] (winresume)|[#2933][certificate-2934]|FIPS Approved: AES, RSA, and SHS; Other: MD5|
|[Boot Manager][sp-2931]|[#2931][certificate-2931]|FIPS Approved: AES, HMAC, PBKDF, RSA, and SHS; Other: MD5, Non-Compliant PBKDF, and VMK KDF|
|[Code Integrity][sp-2935] (ci.dll)|[#2935][certificate-2935]|FIPS Approved: RSA and SHS|
|[Cryptographic Primitives Library][sp-2937] (bcryptprimitives.dll and ncryptsslp.dll)|[#2937][certificate-2937]|FIPS Approved: AES, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other: HMAC-MD5 and MD5.|
|[Kernel Mode Cryptographic Primitives Library][sp-2936] (cng.sys)|[#2936][certificate-2936]|FIPS Approved: AES, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other: HMAC-MD5, MD5, and NDRNG|
|[Secure Kernel Code Integrity][sp-2938] (skci.dll)|[#2938][certificate-2938]|FIPS Approved: RSA and SHS; Other: MD5|
---
<!-- Links -->
<!-- CMVP Certificates -->
[certificate-2931]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2931
[certificate-2932]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2932
[certificate-2934]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2934
[certificate-2935]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2935
[certificate-2936]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2936
[certificate-2937]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2937
[certificate-2938]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2938
[certificate-3487]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3487
[certificate-3501]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3501
[certificate-3502]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3502
[certificate-3510]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3510
[certificate-3513]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3513
<!-- Security Policies -->
[sp-2931]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2931.pdf
[sp-2932]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2932.pdf
[sp-2933]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2933.pdf
[sp-2934]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2934.pdf
[sp-2935]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2935.pdf
[sp-2936]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2936.pdf
[sp-2937]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2937.pdf
[sp-2938]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2938.pdf
[sp-3487]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3487.pdf
[sp-3501]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3501.pdf
[sp-3502]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3502.pdf
[sp-3510]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3510.pdf
[sp-3513]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3513.pdf

54
windows/security/security-foundations/certification/validations/fips-140-windows-server-2019.md Normal file
View File

@ -0,0 +1,54 @@
---
title: FIPS 140 validated modules for Windows Server 2019
description: This topic lists the completed FIPS 140 cryptographic module validations for Windows Server 2019.
ms.date: 2/1/2024
ms.topic: reference
ms.author: v-rodurff
author: msrobertd
ms.reviewer: paoloma
ms.collection: tier3
---
# FIPS 140 validated modules in Windows Server 2019
The following tables list the completed FIPS 140 validations of cryptographic modules used in Windows Server 2019, organized by major release of the operating system. The linked Security Policy document for each module provides details on the module capabilities and the policies the operator must follow to use the module in its FIPS approved mode of operation. For information on using the overall operating system in its FIPS approved mode, see [Use Windows in a FIPS approved mode of operation](../fips-140-validation.md#use-windows-in-a-fips-approved-mode-of-operation). For details on the FIPS approved algorithms used by each module, see its linked Security Policy document or module certificate.
## Windows Server 2019
Build: 10.0.17763.107. Validated Editions: Standard Core, Datacenter Core
|Cryptographic Module (linked to Security Policy document)|Version|CMVP Certificate #|Validated Algorithms|
|--- |--- |--- |--- |
|[BitLocker Dump Filter][sp-3092]|10.0.17763|[#3092][certificate-3092]|FIPS Approved: AES, RSA, and SHS|
|[Boot Manager][sp-3089]|10.0.17763|[#3089][certificate-3089]|FIPS Approved: AES, CKG, HMAC, PBKDF, RSA, and SHS|
|[Code Integrity][sp-3644]|10.0.17763|[#3644][certificate-3644]|FIPS Approved: RSA and SHS|
|[Cryptographic Primitives Library][sp-3197]|10.0.17763|[#3197][certificate-3197]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: HMAC-MD5, MD5, and NDRNG|
|[Kernel Mode Cryptographic Primitives Library][sp-3196]|10.0.17763|[#3196][certificate-3196]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: HMAC-MD5, MD5, and NDRNG|
|[Secure Kernel Code Integrity][sp-3651]|10.0.17763|[#3651][certificate-3651]|FIPS Approved: RSA and SHS|
|[Virtual TPM][sp-3690]|10.0.17763|[#3690][certificate-3690]|FIPS Approved: AES, CKG, CVL, DRBG, ECDSA, HMAC, KAS, KBKDF, KTS, RSA, and SHS; Other Allowed: NDRNG|
|[Windows OS Loader][sp-3615]|10.0.17763|[#3615][certificate-3615]|FIPS Approved: AES, CKG, DRBG, RSA, and SHS; Other Allowed: NDRNG|
---
<!-- Links -->
<!-- CMVP Certificates -->
[certificate-3089]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3089
[certificate-3092]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3092
[certificate-3196]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3196
[certificate-3197]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3197
[certificate-3615]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3615
[certificate-3644]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3644
[certificate-3651]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3651
[certificate-3690]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3690
<!-- Security Policies -->
[sp-3089]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3089.pdf
[sp-3092]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3092.pdf
[sp-3196]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3196.pdf
[sp-3197]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3197.pdf
[sp-3615]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3615.pdf
[sp-3644]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3644.pdf
[sp-3651]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3651.pdf
[sp-3690]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3690.pdf

166
windows/security/security-foundations/certification/validations/fips-140-windows-server-previous.md Normal file
View File

@ -0,0 +1,166 @@
---
title: FIPS 140 validated modules for previous Windows Server versions
description: This topic lists the completed FIPS 140 cryptographic module validations for versions of Windows Server prior to Windows Server 2016.
ms.date: 2/1/2024
ms.topic: reference
ms.author: v-rodurff
author: msrobertd
ms.reviewer: paoloma
ms.collection: tier3
---
# FIPS 140 validated modules in previous Windows Server versions
The following tables list the completed FIPS 140 validations of cryptographic modules used in versions of Windows Server prior to Windows Server 2016, organized by major release of the operating system. The linked Security Policy document for each module provides details on the module capabilities and the policies the operator must follow to use the module in its FIPS approved mode of operation. For information on using the overall operating system in its FIPS approved mode, see [Use Windows in a FIPS approved mode of operation](../fips-140-validation.md#use-windows-in-a-fips-approved-mode-of-operation). For details on the FIPS approved algorithms used by each module, including CAVP algorithm certificates, see the module's linked Security Policy document or CMVP module certificate.
## Windows Server 2012 R2
Validated Editions: Server, Storage Server, StorSimple 8000 Series, Azure StorSimple Virtual Array Windows Server 2012 R2
|Cryptographic Module|Version (link to Security Policy)|CMVP Certificate #|
|--- |--- |--- |
|BitLocker Dump Filter (dumpfve.sys) <br>*Doesn't apply to Azure StorSimple Virtual Array Windows Server 2012 R2*|[6.3.9600 6.3.9600.17031][sp-2354]|[2354][certificate-2354]|
|BitLocker Windows OS Loader (winload)|[6.3.9600 6.3.9600.17031][sp-2352]|[2352][certificate-2352]|
|BitLocker Windows Resume (winresume) <br>*Doesn't apply to Azure StorSimple Virtual Array Windows Server 2012 R2*|[6.3.9600 6.3.9600.17031][sp-2353]|[2353][certificate-2353]|
|Boot Manager|[6.3.9600 6.3.9600.17031][sp-2351]|[2351][certificate-2351]|
|Code Integrity (ci.dll)|[6.3.9600 6.3.9600.17031][sp-2355]|[2355][certificate-2355]|
|Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[6.3.9600 6.3.9600.17031][sp-2357]|[2357][certificate-2357]|
|Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.3.9600 6.3.9600.17042][sp-2356]|[2356][certificate-2356]|
## Windows Server 2012
Validated Editions: Server, Storage Server
|Cryptographic Module|Version (link to Security Policy)|CMVP Certificate #|
|--- |--- |--- |
|BitLocker Dump Filter (DUMPFVE.SYS)|[6.2.9200][sp-1899]|[1899][sp-1899]|
|BitLocker Windows OS Loader (WINLOAD)|[6.2.9200][sp-1896]|[1896][sp-1896]|
|BitLocker Windows Resume (WINRESUME)|[6.2.9200][sp-1898]|[1898][sp-1898]|
|Boot Manager|[6.2.9200][sp-1895]|[1895][sp-1895]|
|Code Integrity (CI.DLL)|[6.2.9200][sp-1897]|[1897][sp-1897]|
|Enhanced Cryptographic Provider (RSAENH.DLL)|[6.2.9200][sp-1894]|[1894][sp-1894]|
|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)|[6.2.9200][sp-1893]|[1893][sp-1893]|
|Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)|[6.2.9200][sp-1892]|[1892]|
|Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.2.9200][sp-1891]|[1891][certificate-1891]|
## Windows Server 2008 R2
|Cryptographic Module|Version (link to Security Policy)|CMVP Certificate #|
|--- |--- |--- |
|BitLocker Drive Encryption|[6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.21675][sp-1339]|[1339][certificate-1339]|
|Boot Manager (bootmgr)|[6.1.7600.16385 or 6.1.7601.17514][sp-1321]|[1321][certificate-1321]|
|Cryptographic Primitives Library (bcryptprimitives.dll)|[66.1.7600.16385 or 6.1.7601.17514][sp-1336]|[1336][certificate-1336]|
|Enhanced Cryptographic Provider (RSAENH)|[6.1.7600.16385][sp-1337]|[1337][certificate-1337]|
|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[6.1.7600.16385][sp-1338]|[1338][certificate-1338]|
|Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.22076][sp-1335]|[1335][certificate-1335]|
|Winload OS Loader (winload.exe)|[6.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.21675][sp-1333]|[1333][certificate-1333]|
## Windows Server 2008
|Cryptographic Module|Version (link to Security Policy)|CMVP Certificate #|
|--- |--- |--- |
|Boot Manager (bootmgr)|[6.0.6001.18000, 6.0.6002.18005 and 6.0.6002.22497][sp-1004]|[1004][certificate-1004]|
|Code Integrity (ci.dll)|[6.0.6001.18000 and 6.0.6002.18005][sp-1006]|[1006][certificate-1006]|
|Cryptographic Primitives Library (bcrypt.dll)|[6.0.6001.22202, 6.0.6002.18005 and 6.0.6002.22872][sp-1008]|[1008][certificate-1008]|
|Enhanced Cryptographic Provider (RSAENH)|[6.0.6001.22202 and 6.0.6002.18005][sp-1010]|[1010][certificate-1010]|
|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[6.0.6001.18000 and 6.0.6002.18005][sp-1009]|[1009][certificate-1009]|
|Kernel Mode Security Support Provider Interface (ksecdd.sys)|[6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.22869][sp-1007]|[1007][certificate-1007]|
|Winload OS Loader (winload.exe)|[6.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.22596][sp-1005]|[1005][certificate-1005]|
## Windows Server 2003 SP2
|Cryptographic Module|Version (link to Security Policy)|CMVP Certificate #|
|--- |--- |--- |
|Enhanced Cryptographic Provider (RSAENH)|[5.2.3790.3959][sp-868]|[868][certificate-868]|
|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[5.2.3790.3959][sp-875]|[875][certificate-875]|
|Kernel Mode Cryptographic Module (FIPS.SYS)|[5.2.3790.3959][sp-869]|[869][certificate-869]|
## Windows Server 2003 SP1
|Cryptographic Module|Version (link to Security Policy)|CMVP Certificate #|
|--- |--- |--- |
|Enhanced Cryptographic Provider (RSAENH)|[5.2.3790.1830 [Service Pack 1])][sp-382]|[382][certificate-382]|
|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[5.2.3790.1830 [Service Pack 1]][sp-381]|[381][certificate-381]|
|Kernel Mode Cryptographic Module (FIPS.SYS)|[5.2.3790.1830 [SP1]][sp-405]|[405][certificate-405]|
## Windows Server 2003
|Cryptographic Module|Version (link to Security Policy)|CMVP Certificate #|
|--- |--- |--- |
|Enhanced Cryptographic Provider (RSAENH)|[5.2.3790.0][sp-382]|[382][certificate-382]|
|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[5.2.3790.0][sp-381]|[381][certificate-381]|
|Kernel Mode Cryptographic Module (FIPS.SYS)|[5.2.3790.0][sp-405]|[405][certificate-405]|
---
<!-- Links -->
<!-- CMVP Certificates -->
[certificate-381]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/381
[certificate-382]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/382
[certificate-405]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/405
[certificate-868]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/868
[certificate-869]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/869
[certificate-875]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/875
[certificate-1004]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1004
[certificate-1005]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1005
[certificate-1006]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1006
[certificate-1007]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1007
[certificate-1008]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1008
[certificate-1009]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1009
[certificate-1010]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1010
[certificate-1321]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1321
[certificate-1333]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1333
[certificate-1335]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1335
[certificate-1336]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1336
[certificate-1337]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1337
[certificate-1338]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1338
[certificate-1339]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1339
[certificate-1891]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1891
[certificate-2351]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2351
[certificate-2352]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2352
[certificate-2353]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2353
[certificate-2354]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2354
[certificate-2355]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2355
[certificate-2356]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2356
[certificate-2357]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2357
<!-- Security Policies -->
[sp-381]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp381.pdf
[sp-382]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp382.pdf
[sp-405]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp405.pdf
[sp-868]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp868.pdf
[sp-869]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp869.pdf
[sp-875]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp875.pdf
[sp-1004]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1004.pdf
[sp-1005]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1005.pdf
[sp-1006]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1006.pdf
[sp-1007]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1007.pdf
[sp-1008]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1008.pdf
[sp-1009]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1009.pdf
[sp-1010]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1010.pdf
[sp-1321]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1321.pdf
[sp-1333]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1333.pdf
[sp-1335]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1335.pdf
[sp-1336]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1336.pdf
[sp-1337]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1337.pdf
[sp-1338]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1338.pdf
[sp-1339]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1339.pdf
[sp-1891]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1891.pdf
[sp-1892]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1892.pdf
[sp-1893]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1893.pdf
[sp-1894]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1894.pdf
[sp-1895]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1895.pdf
[sp-1896]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1896.pdf
[sp-1897]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1897.pdf
[sp-1898]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1898.pdf
[sp-1899]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1899.pdf
[sp-2351]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2351.pdf
[sp-2352]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2352.pdf
[sp-2353]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2353.pdf
[sp-2354]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2354.pdf
[sp-2355]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2355.pdf
[sp-2356]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2356.pdf
[sp-2357]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2357.pdf

152
windows/security/security-foundations/certification/validations/fips-140-windows-server-semi-annual.md Normal file
View File

@ -0,0 +1,152 @@
---
title: FIPS 140 validated modules for Windows Server Semi-Annual Releases
description: This topic lists the completed FIPS 140 cryptographic module validations for Windows Server semi-annual releases.
ms.date: 2/1/2024
ms.topic: reference
ms.author: v-rodurff
author: msrobertd
ms.reviewer: paoloma
ms.collection: tier3
---
# FIPS 140 validated modules in Windows Server semi-annual releases
The following tables list the completed FIPS 140 validations of cryptographic modules used in Windows Server semi-annual releases, organized by major release of the operating system. The linked Security Policy document for each module provides details on the module capabilities and the policies the operator must follow to use the module in its FIPS approved mode of operation. For information on using the overall operating system in its FIPS approved mode, see [Use Windows in a FIPS approved mode of operation](../fips-140-validation.md#use-windows-in-a-fips-approved-mode-of-operation). For details on the FIPS approved algorithms used by each module, including CAVP algorithm certificates, see the module's linked Security Policy document or CMVP module certificate.
## Windows Server, version 2004 (May 2020 Update)
Build: 10.0.19041. Validated Editions: Standard Core, Datacenter Core
|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
|--- |--- |--- |
|[BitLocker Dump Filter][sp-4538]|[#4538][certificate-4538]|FIPS Approved: AES, RSA, and SHS|
|[Boot Manager][sp-3923]|[#3923][certificate-3923]|FIPS Approved: AES, CKG, HMAC, PBKDF, RSA, and SHS|
|[Code Integrity][sp-4511]|[#4511][certificate-4511]|FIPS Approved: AES, RSA, and SHS|
|[Cryptographic Primitives Library][sp-4536]|[#4536][certificate-4536]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: NDRNG|
|[Kernel Mode Cryptographic Primitives Library][sp-4515]|[#4515][certificate-4515]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: NDRNG|
|[Secure Kernel Code Integrity][sp-4512]|[#4512][certificate-4512]|FIPS Approved: AES, RSA, and SHS|
|[Virtual TPM][sp-4537]|[#4537][certificate-4537]|FIPS Approved: AES, CKG, CVL, DRBG, ECDSA, HMAC, KAS, KBKDF, KTS, RSA, and SHS; Other Allowed: NDRNG|
|[Windows OS Loader][sp-4339]|[#4339][certificate-4339]|FIPS Approved: AES, CKG, DRBG, RSA, and SHS; Other Allowed: NDRNG|
## Windows Server, version 1909 (November 2019 Update)
Build: 10.0.18363. Validated Editions: Standard Core, Datacenter Core
|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
|--- |--- |--- |
|[BitLocker Dump Filter][sp-4538]|[#4538][certificate-4538]|FIPS Approved: AES, RSA, and SHS|
|[Boot Manager][sp-3923]|[#3923][certificate-3923]|FIPS Approved: AES, CKG, HMAC, PBKDF, RSA, and SHS|
|[Code Integrity][sp-4511]|[#4511][certificate-4511]|FIPS Approved: AES, RSA, and SHS|
|[Cryptographic Primitives Library][sp-4536]|[#4536][certificate-4536]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: NDRNG|
|[Kernel Mode Cryptographic Primitives Library][sp-4515]|[#4515][certificate-4515]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: NDRNG|
|[Secure Kernel Code Integrity][sp-4512]|[#4512][certificate-4512]|FIPS Approved: AES, RSA, and SHS|
|[Virtual TPM][sp-4537]|[#4537][certificate-4537]|FIPS Approved: AES, CKG, CVL, DRBG, ECDSA, HMAC, KAS, KBKDF, KTS, RSA, and SHS; Other Allowed: NDRNG|
|[Windows OS Loader][sp-4339]|[#4339][certificate-4339]|FIPS Approved: AES, CKG, DRBG, RSA, and SHS; Other Allowed: NDRNG|
## Windows Server, version 1903 (May 2019 Update)
Build: 10.0.18362. Validated Editions: Standard Core, Datacenter Core
|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
|--- |--- |--- |
|[BitLocker Dump Filter][sp-4538]|[#4538][certificate-4538]|FIPS Approved: AES, RSA, and SHS|
|[Boot Manager][sp-3923]|[#3923][certificate-3923]|FIPS Approved: AES, CKG, HMAC, PBKDF, RSA, and SHS|
|[Code Integrity][sp-4511]|[#4511][certificate-4511]|FIPS Approved: AES, RSA, and SHS|
|[Cryptographic Primitives Library][sp-4536]|[#4536][certificate-4536]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: NDRNG|
|[Kernel Mode Cryptographic Primitives Library][sp-4515]|[#4515][certificate-4515]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: NDRNG|
|[Secure Kernel Code Integrity][sp-4512]|[#4512][certificate-4512]|FIPS Approved: AES, RSA, and SHS|
|[Virtual TPM][sp-4537]|[#4537][certificate-4537]|FIPS Approved: AES, CKG, CVL, DRBG, ECDSA, HMAC, KAS, KBKDF, KTS, RSA, and SHS; Other Allowed: NDRNG|
|[Windows OS Loader][sp-4339]|[#4339][certificate-4339]|FIPS Approved: AES, CKG, DRBG, RSA, and SHS; Other Allowed: NDRNG|
## Windows Server, version 1809
Build: 10.0.17763. Validated Editions: Standard Core, Datacenter Core
|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
|--- |--- |--- |
|[BitLocker Dump Filter][sp-3092]|[#3092][certificate-3092]|FIPS Approved: AES, RSA, and SHS|
|[Boot Manager][sp-3089]|[#3089][certificate-3089]|FIPS Approved: AES, CKG, HMAC, PBKDF, RSA, and SHS|
|[Code Integrity][sp-3644]|[#3644][certificate-3644]|FIPS Approved: RSA and SHS|
|[Cryptographic Primitives Library][sp-3197]|[#3197][certificate-3197]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: HMAC-MD5, MD5, and NDRNG|
|[Kernel Mode Cryptographic Primitives Library][sp-3196]|[#3196][certificate-3196]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: HMAC-MD5, MD5, and NDRNG|
|[Secure Kernel Code Integrity][sp-3651]|[#3651][certificate-3651]|FIPS Approved: RSA and SHS|
|[Virtual TPM][sp-3690]|[#3690][certificate-3690]|FIPS Approved: AES, CKG, CVL, DRBG, ECDSA, HMAC, KAS, KBKDF, KTS, RSA, and SHS; Other Allowed: NDRNG|
|[Windows OS Loader][sp-3615]|[#3615][certificate-3615]|FIPS Approved: AES, CKG, DRBG, RSA, and SHS; Other Allowed: NDRNG|
## Windows Server, version 1803
Build: 10.0.17134. Validated Editions: Standard Core, Datacenter Core
|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
|--- |--- |--- |
|[BitLocker Dump Filter][sp-3092]|[#3092][certificate-3092]|FIPS Approved: AES, RSA, and SHS|
|[Boot Manager][sp-3089]|[#3089][certificate-3089]|FIPS Approved: AES, CKG, HMAC, PBKDF, RSA, and SHS|
|[Code Integrity][sp-3195]|[#3195][certificate-3195]|FIPS Approved: AES, RSA, and SHS|
|[Cryptographic Primitives Library][sp-3197]|[#3197][certificate-3197]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: HMAC-MD5, MD5, and NDRNG|
|[Kernel Mode Cryptographic Primitives Library][sp-3196]|[#3196][certificate-3196]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: HMAC-MD5, MD5, and NDRNG|
|[Secure Kernel Code Integrity][sp-3096]|[#3096][certificate-3096]|FIPS Approved: AES, RSA, and SHS|
|[Windows OS Loader][sp-3480]|[#3480][certificate-3480]|FIPS Approved: AES, CKG, DRBG, RSA, and SHS; Other Allowed: NDRNG|
## Windows Server, version 1709
Build: 10.0.16299. Validated Editions: Standard Core, Datacenter Core
|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
|--- |--- |--- |
|[BitLocker Dump Filter][sp-3092]|[#3092][certificate-3092]|FIPS Approved: AES, RSA, and SHS|
|[Boot Manager][sp-3089]|[#3089][certificate-3089]|FIPS Approved: AES, CKG, HMAC, PBKDF, RSA, and SHS|
|[Code Integrity][sp-3195]|[#3195][certificate-3195]|FIPS Approved: AES, RSA, and SHS|
|[Cryptographic Primitives Library][sp-3197]|[#3197][certificate-3197]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: HMAC-MD5, MD5, and NDRNG|
|[Kernel Mode Cryptographic Primitives Library][sp-3196]|[#3196][certificate-3196]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: HMAC-MD5, MD5, and NDRNG|
|[Secure Kernel Code Integrity][sp-3096]|[#3096][certificate-3096]|FIPS Approved: AES, RSA, and SHS|
|[Windows OS Loader][sp-3194]|[#3194][certificate-3194]|FIPS Approved: AES, RSA, and SHS; Other Allowed: NDRNG|
---
<!-- Links -->
<!-- CMVP Certificates -->
[certificate-3089]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3089
[certificate-3092]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3092
[certificate-3096]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3096
[certificate-3194]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3194
[certificate-3195]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3195
[certificate-3196]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3196
[certificate-3197]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3197
[certificate-3480]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3480
[certificate-3615]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3615
[certificate-3644]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3644
[certificate-3651]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3651
[certificate-3690]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3690
[certificate-3923]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3923
[certificate-4339]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4339
[certificate-4511]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4511
[certificate-4512]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4512
[certificate-4515]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4515
[certificate-4536]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4536
[certificate-4537]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4537
[certificate-4538]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4538
<!-- Security Policies -->
[sp-3089]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3089.pdf
[sp-3092]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3092.pdf
[sp-3096]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3096.pdf
[sp-3194]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3194.pdf
[sp-3195]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3195.pdf
[sp-3196]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3196.pdf
[sp-3197]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3197.pdf
[sp-3480]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3480.pdf
[sp-3615]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3615.pdf
[sp-3644]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3644.pdf
[sp-3651]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3651.pdf
[sp-3690]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3690.pdf
[sp-3923]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3923.pdf
[sp-4339]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4339.pdf
[sp-4511]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4511.pdf
[sp-4512]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4512.pdf
[sp-4515]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4515.pdf
[sp-4536]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4536.pdf
[sp-4537]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4537.pdf
[sp-4538]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4537.pdf

326
windows/security/security-foundations/certification/validations/fips-140-windows10.md Normal file
View File

@ -0,0 +1,326 @@
---
title: FIPS 140 validated modules for Windows 10
description: This topic lists the completed FIPS 140 cryptographic module validations for Windows 10.
ms.date: 2/1/2024
ms.topic: reference
ms.author: v-rodurff
author: msrobertd
ms.reviewer: paoloma
ms.collection: tier3
---
# FIPS 140 validated modules for Windows 10
The following tables list the completed FIPS 140 validations of cryptographic modules used in Windows 10, organized by major release of the operating system. The linked Security Policy document for each module provides details on the module capabilities and the policies the operator must follow to use the module in its FIPS approved mode of operation. For information on using the overall operating system in its FIPS approved mode, see [Use Windows in a FIPS approved mode of operation](../fips-140-validation.md#use-windows-in-a-fips-approved-mode-of-operation). For details on the FIPS approved algorithms used by each module, including CAVP algorithm certificates, see the module's linked Security Policy document or CMVP module certificate.
## Windows 10, version 2004 (May 2020 Update)
Build: 10.0.19041. Validated Editions: Home, Pro, Enterprise, Education
|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
|--- |--- |--- |
|[BitLocker Dump Filter][sp-4538]|[#4538][certificate-4538]|FIPS Approved: AES, RSA, and SHS|
|[Boot Manager][sp-3923]|[#3923][certificate-3923]|FIPS Approved: AES, CKG, HMAC, PBKDF, RSA, and SHS|
|[Code Integrity][sp-4511]|[#4511][certificate-4511]|FIPS Approved: AES, RSA, and SHS|
|[Cryptographic Primitives Library][sp-4536]|[#4536][certificate-4536]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: NDRNG|
|[Kernel Mode Cryptographic Primitives Library][sp-4515]|[#4515][certificate-4515]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: NDRNG|
|[Secure Kernel Code Integrity][sp-4512]|[#4512][certificate-4512]|FIPS Approved: AES, RSA, and SHS|
|[TCB Launcher][sp-4457] <br>*Applies only to Enterprise Edition.*|[#4457][certificate-4457]|FIPS Approved: AES, CKG, DRBG, RSA, and SHS; Other Allowed: NDRNG|
|[Windows OS Loader][sp-4339]|[#4339][certificate-4339]|FIPS Approved: AES, CKG, DRBG, RSA, and SHS; Other Allowed: NDRNG|
|[Virtual TPM][sp-4537]|[#4537][certificate-4537]|FIPS Approved: AES, CKG, CVL, DRBG, ECDSA, HMAC, KAS, KBKDF, KTS, RSA, and SHS; Other Allowed: NDRNG|
|[Windows Resume][sp-4348]|[#4348][certificate-4348]|FIPS Approved: AES, HMAC, KBKDF, RSA, and SHS|
## Windows 10, version 1909 (November 2019 Update)
Build: 10.0.18363. Validated Editions: Home, Pro, Enterprise, Education
|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
|--- |--- |--- |
|[BitLocker Dump Filter][sp-4538]|[#4538][certificate-4538]|FIPS Approved: AES, RSA, and SHS|
|[Boot Manager][sp-3923]|[#3923][certificate-3923]|FIPS Approved: AES, CKG, HMAC, PBKDF, RSA, and SHS|
|[Code Integrity][sp-4511]|[#4511][certificate-4511]|FIPS Approved: AES, RSA, and SHS|
|[Cryptographic Primitives Library][sp-4536]|[#4536][certificate-4536]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: NDRNG|
|[Kernel Mode Cryptographic Primitives Library][sp-4515]|[#4515][certificate-4515]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: NDRNG|
|[Secure Kernel Code Integrity][sp-4512]|[#4512][certificate-4512]|FIPS Approved: AES, RSA, and SHS|
|[TCB Launcher][sp-4457] <br>*Applies only to Enterprise Edition.*|[#4457][certificate-4457]|FIPS Approved: AES, CKG, DRBG, RSA, and SHS; Other Allowed: NDRNG|
|[Windows OS Loader][sp-4339]|[#4339][certificate-4339]|FIPS Approved: AES, CKG, DRBG, RSA, and SHS; Other Allowed: NDRNG|
|[Virtual TPM][sp-4537]|[#4537][certificate-4537]|FIPS Approved: AES, CKG, CVL, DRBG, ECDSA, HMAC, KAS, KBKDF, KTS, RSA, and SHS; Other Allowed: NDRNG|
|[Windows Resume][sp-4348]|[#4348][certificate-4348]|FIPS Approved: AES, HMAC, KBKDF, RSA, and SHS|
## Windows 10, version 1903 (May 2019 Update)
Build: 10.0.18362. Validated Editions: Home, Pro, Enterprise, Education
|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
|--- |--- |--- |
|[BitLocker Dump Filter][sp-4538]|[#4538][certificate-4538]|FIPS Approved: AES, RSA, and SHS|
|[Boot Manager][sp-3923]|[#3923][certificate-3923]|FIPS Approved: AES, CKG, HMAC, PBKDF, RSA, and SHS|
|[Code Integrity][sp-4511]|[#4511][certificate-4511]|FIPS Approved: AES, RSA, and SHS|
|[Cryptographic Primitives Library][sp-4536]|[#4536][certificate-4536]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: NDRNG|
|[Kernel Mode Cryptographic Primitives Library][sp-4515]|[#4515][certificate-4515]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: NDRNG|
|[Secure Kernel Code Integrity][sp-4512]|[#4512][certificate-4512]|FIPS Approved: AES, RSA, and SHS|
|[Windows OS Loader][sp-4339]|[#4339][certificate-4339]|FIPS Approved: AES, CKG, DRBG, RSA, and SHS; Other Allowed: NDRNG|
|[Virtual TPM][sp-4537]|[#4537][certificate-4537]|FIPS Approved: AES, CKG, CVL, DRBG, ECDSA, HMAC, KAS, KBKDF, KTS, RSA, and SHS; Other Allowed: NDRNG|
|[Windows Resume][sp-4348]|[#4348][certificate-4348]|FIPS Approved: AES, HMAC, KBKDF, RSA, and SHS|
## Windows 10, version 1809 (October 2018 Update)
Build: 10.0.17763. Validated Editions: Home, Pro, Enterprise, Education
|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
|--- |--- |--- |
|[BitLocker Dump Filter][sp-3092]|[#3092][certificate-3092]|FIPS Approved: AES, RSA, and SHS|
|[Boot Manager][sp-3089]|[#3089][certificate-3089]|FIPS Approved: AES, CKG, HMAC, PBKDF, RSA, and SHS|
|[Code Integrity][sp-3644]|[#3644][certificate-3644]|FIPS Approved: RSA and SHS|
|[Cryptographic Primitives Library][sp-3197]|[#3197][certificate-3197]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: HMAC-MD5, MD5, and NDRNG|
|[Kernel Mode Cryptographic Primitives Library][sp-3196]|[#3196][certificate-3196]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: HMAC-MD5, MD5, and NDRNG|
|[Secure Kernel Code Integrity][sp-3651]|[#3651][certificate-3651]|FIPS Approved: RSA and SHS|
|[Virtual TPM][sp-3690]|[#3690][certificate-3690]|FIPS Approved: AES, CKG, CVL, DRBG, ECDSA, HMAC, KAS, KBKDF, KTS, RSA, and SHS; Other Allowed: NDRNG|
|[Windows OS Loader][sp-3615]|[#3615][certificate-3615]|FIPS Approved: AES, CKG, DRBG, RSA, and SHS; Other Allowed: NDRNG|
## Windows 10, version 1803 (April 2018 Update)
Build: 10.0.17134. Validated Editions: Home, Pro, Enterprise, Education
|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
|--- |--- |--- |
|[BitLocker Dump Filter][sp-3092]|[#3092][certificate-3092]|FIPS Approved: AES, RSA, and SHS|
|[Boot Manager][sp-3089]|[#3089][certificate-3089]|FIPS Approved: AES, CKG, HMAC, PBKDF, RSA, and SHS|
|[Code Integrity][sp-3195]|[#3195][certificate-3195]|FIPS Approved: AES, RSA, and SHS|
|[Cryptographic Primitives Library][sp-3197]|[#3197][certificate-3197]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: HMAC-MD5, MD5, and NDRNG|
|[Kernel Mode Cryptographic Primitives Library][sp-3196]|[#3196][certificate-3196]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: HMAC-MD5, MD5, and NDRNG|
|[Secure Kernel Code Integrity][sp-3096]|[#3096][certificate-3096]|FIPS Approved: AES, RSA, and SHS|
|[Windows OS Loader][sp-3480]|[#3480][certificate-3480]|FIPS Approved: AES, CKG, DRBG, RSA, and SHS; Other Allowed: NDRNG|
## Windows 10, version 1709 (Fall Creators Update)
Build: 10.0.16299. Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile
|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
|--- |--- |--- |
|[BitLocker Dump Filter][sp-3092]|[#3092][certificate-3092]|FIPS Approved: AES, RSA, and SHS|
|[Boot Manager][sp-3089]|[#3089][certificate-3089]|FIPS Approved: AES, CKG, HMAC, PBKDF, RSA, and SHS|
|[Code Integrity][sp-3195]|[#3195][certificate-3195]|FIPS Approved: AES, RSA, and SHS|
|[Cryptographic Primitives Library][sp-3197]|[#3197][certificate-3197]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: HMAC-MD5, MD5, and NDRNG|
|[Kernel Mode Cryptographic Primitives Library][sp-3196]|[#3196][certificate-3196]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: HMAC-MD5, MD5, and NDRNG|
|[Secure Kernel Code Integrity][sp-3096]|[#3096][certificate-3096]|FIPS Approved: AES, RSA, and SHS|
|[Windows Resume][sp-3091]|[#3091][certificate-3091]|FIPS Approved: AES, RSA, and SHS|
|[Windows OS Loader][sp-3194]|[#3194][certificate-3194]|FIPS Approved: AES, RSA, and SHS; Other Allowed: NDRNG|
## Windows 10, version 1703 (Creators Update)
Build: 10.0.15063. Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile
|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
|--- |--- |--- |
|[BitLocker Dump Filter][sp-3092] <br>*Applies only to Pro, Enterprise, Education, S, Mobile, and Surface Hub Editions.*|[#3092][certificate-3092]|FIPS Approved: AES, RSA, and SHS|
|[Boot Manager][sp-3089]|[#3089][certificate-3089]|FIPS Approved: AES, CKG, HMAC, PBKDF, RSA, and SHS|
|[Code Integrity][sp-3093] (ci.dll)|[#3093][certificate-3093]|FIPS Approved: AES, RSA, and SHS|
|[Cryptographic Primitives Library][sp-3095] (bcryptprimitives.dll and ncryptsslp.dll)|[#3095][certificate-3095]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: HMAC-MD5, MD5, and NDRNG|
|[Kernel Mode Cryptographic Primitives Library][sp-3094] (cng.sys)|[#3094][certificate-3094]|FIPS Approved: AES, CKG, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: HMAC-MD5, MD5, and NDRNG|
|[Secure Kernel Code Integrity][sp-3096] (skci.dll) <br>*Applies only to Pro, Enterprise, Education, and S Editions.*|[#3096][certificate-3096]|FIPS Approved: AES, RSA, and SHS|
|[Windows OS Loader][sp-3090]|[#3090][certificate-3090]|FIPS Approved: AES, RSA, and SHS|
|[Windows Resume][sp-3091] <br>*Applies only to Home, Pro, Enterprise, Education, and S Editions.*|[#3091][certificate-3091]|FIPS Approved: AES, RSA, and SHS|
## Windows 10, version 1607 (Anniversary Update)
Build: 10.0.14393.1770. Validated Editions: Windows 10 (Home/Consumer), Pro, Enterprise, Enterprise LTSB, Mobile
|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
|--- |--- |--- |
|[BitLocker Windows OS Loader][sp-3502] (winload)|[#3502][certificate-3502]|FIPS Approved: AES, RSA, and SHS; Other Allowed: NDRNG|
|[BitLocker Windows Resume][sp-3501] (winresume) <br>*Applies only to Home, Pro, Enterprise, and Enterprise LTSB Editions.*|[#3501][certificate-3501]|FIPS Approved: AES, RSA, and SHS|
|[Boot Manager][sp-3487]|[#3487][certificate-3487]|FIPS Approved: AES, HMAC, PBKDF, RSA, and SHS|
|[Code Integrity][sp-3510] (ci.dll)|[#3510][certificate-3510]|FIPS Approved: AES, RSA, and SHS|
|[Secure Kernel Code Integrity][sp-3513] (skci.dll) <br>*Applies only to Pro, Enterprise, and Enterprise LTSB Editions.*|[#3513][certificate-3513]|FIPS Approved: RSA and SHS; Other Allowed: MD5|
Build: 10.0.14393. Validated Editions: Windows 10 (Home/Consumer), Pro, Enterprise, Enterprise LTSB, Mobile
|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
|--- |--- |--- |
|[BitLocker Dump Filter][sp-2934] (dumpfve.sys) <br>*Applies only to Pro, Enterprise, Enterprise LTSB, and Mobile Editions.*|[#2934][certificate-2934]|FIPS Approved: AES|
|[BitLocker Windows OS Loader][sp-2932] (winload)|[#2932][certificate-2932]|FIPS Approved: AES, RSA, and SHS; Other Allowed: NDRNG|
|[BitLocker Windows Resume][sp-2933] (winresume) <br>*Applies only to Home, Pro, Enterprise, and Enterprise LTSB Editions.*|[#2933][certificate-2933]|FIPS Approved: AES, RSA, and SHS; Other Allowed: MD5|
|[Boot Manager][sp-2931]|[#2931][certificate-2931]|FIPS Approved: AES, HMAC, PBKDF, RSA, and SHS; Other Allowed: MD5, Non-Compliant PBKDF, and VMK KDF|
|[Code Integrity][sp-2935] (ci.dll)|[#2935][certificate-2935]|FIPS Approved: RSA and SHS|
|[Cryptographic Primitives Library][sp-2937] (bcryptprimitives.dll and ncryptsslp.dll)|[#2937][certificate-2937]|FIPS Approved: AES, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: HMAC-MD5 and MD5|
|[Kernel Mode Cryptographic Primitives Library][sp-2936] (cng.sys)|[#2936][certificate-2936]|FIPS Approved: AES, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: HMAC-MD5, MD5, and NDRNG|
|[Secure Kernel Code Integrity][sp-2938] (skci.dll) <br>*Applies only to Pro, Enterprise, and Enterprise LTSB Editions.*|[#2938][certificate-2938]|FIPS Approved: RSA and SHS; Other Allowed: MD5|
## Windows 10, version 1511 (November Update)
Build: 10.0.10586.1176. Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
|--- |--- |--- |
|[BitLocker Windows OS Loader][sp-3451] (winload)|[#3451][certificate-3451]|FIPS Approved: AES, RSA, and SHS|
|[BitLocker Windows Resume][sp-3464] (winresume) <br>*Applies only to Home, Pro, and Enterprise Editions.*|[#3464][certificate-3464]|FIPS Approved: AES, RSA, and SHS|
|[Boot Manager][sp-3447]|[#3447][certificate-3447]|FIPS Approved: AES, HMAC, PBKDF, RSA, and SHS|
|[Code Integrity][sp-3469] (ci.dll)|[#3469][certificate-3469]|FIPS Approved: AES, RSA, and SHS|
Build: 10.0.10586. Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
|--- |--- |--- |
|[BitLocker Dump Filter][sp-2703] (dumpfve.sys) <br>*Applies only to Pro, Enterprise, Mobile, and Surface Hub Editions.*|[#2703][certificate-2703]|FIPS Approved: AES|
|[BitLocker Windows OS Loader][sp-2701] (winload) <br>*Applies only to Home, Pro, Enterprise, Mobile, and Surface Hub Editions.*|[#2701][certificate-2701]|FIPS Approved: AES, RSA, and SHS; Other Allowed: MD5 and NDRNG|
|[BitLocker Windows Resume][sp-2702] (winresume) <br>*Applies only to Home, Pro, and Enterprise Editions.*|[#2702][certificate-2702]|FIPS Approved: AES, RSA, and SHS; Other Allowed: MD5|
|[Boot Manager][sp-2700] <br>*Applies only to Home, Pro, Enterprise, Mobile, and Surface Hub Editions.*|[#2700][certificate-2700]|FIPS Approved: AES, HMAC, PBKDF, RSA, and SHS; Other Allowed: MD5, Non-Compliant KDF, and Non-Compliant PBKDF|
|[Code Integrity][sp-2604] (ci.dll)|[#2604][certificate-2604]|FIPS Approved: RSA and SHS; Other Allowed: Non-Compliant AES and MD5|
|[Cryptographic Primitives Library][sp-2605] (bcryptprimitives.dll and ncryptsslp.dll)|[#2606][certificate-2606]|FIPS Approved: AES, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: HMAC-MD5, MD5, and NDRNG|
|[Kernel Mode Cryptographic Primitives Library][sp-2605] (cng.sys)|[#2605][certificate-2605]|FIPS Approved: AES, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: HMAC-MD5, MD5, and NDRNG|
|[Secure Kernel Code Integrity][sp-2607] (skci.dll) <br>*Applies only to Enterprise and Enterprise LTSB Editions.*|[#2607][certificate-2607]|FIPS Approved: RSA and SHS|
## Windows 10, version 1507
Build: 10.0.10240.17643. Validated Editions: Enterprise LTSB
|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
|--- |--- |--- |
|[BitLocker Windows OS Loader][sp-3427] (winload)|[#3427][certificate-3427]|FIPS Approved: AES, RSA, and SHS; Other Allowed: NDRNG|
|[BitLocker Windows Resume][sp-3426] (winresume)|[#3426][certificate-3426]|FIPS Approved: AES, RSA, and SHS|
|[Boot Manager][sp-3415]|[#3415][certificate-3415]|FIPS Approved: AES, HMAC, PBKDF, RSA, and SHS|
|[Code Integrity][sp-3437] (ci.dll)|[#3437][certificate-3437]|FIPS Approved: AES, RSA, and SHS|
Build: 10.0.10240. Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface Hub
|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
|--- |--- |--- |
|[BitLocker Dump Filter][sp-2603] (dumpfve.sys) <br>*Applies only to Pro, Enterprise, and Enterprise LTSB Editions.*|[#2603][certificate-2603]|FIPS Approved: AES|
|[BitLocker Windows OS Loader][sp-2601] (winload) <br>*Applies only to Home, Pro, Enterprise, and Enterprise LTSB Editions.*|[#2601][certificate-2601]|FIPS Approved: AES, RSA, and SHS; Other Allowed: MD5 and NDRNG|
|[BitLocker Windows Resume][sp-2602] (winresume) <br>*Applies only to Home, Pro, Enterprise, and Enterprise LTSB Editions.*|[#2602][certificate-2602]|FIPS Approved: AES, RSA, and SHS; Other Allowed: MD5|
|[Boot Manager][sp-2600] <br>*Applies only to Home, Pro, Enterprise, and Enterprise LTSB Editions.*|[#2600][certificate-2600]|FIPS Approved: AES, HMAC, KTS, PBKDF, RSA, and SHS; Other Allowed: MD5, Non-Compliant KDF, and Non-Compliant PBKDF|
|[Code Integrity][sp-2604] (ci.dll)|[#2604][certificate-2604]|FIPS Approved: RSA and SHS; Other Allowed: Non-Compliant AES and MD5|
|[Cryptographic Primitives Library][sp-2606] (bcryptprimitives.dll and ncryptsslp.dll)|[#2606][certificate-2606]|FIPS Approved: AES, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: HMAC-MD5, MD5, and NDRNG|
|[Kernel Mode Cryptographic Primitives Library][sp-2605] (cng.sys)|[#2605][certificate-2605]|FIPS Approved: AES, CVL, DRBG, DSA, ECDSA, HMAC, KAS, KBKDF, KTS, PBKDF, RSA, SHS, and Triple-DES; Other Allowed: HMAC-MD5, MD5, and NDRNG|
|[Secure Kernel Code Integrity][sp-2607] (skci.dll) <br>*Applies only to Enterprise and Enterprise LTSB Editions.*|[#2607][certificate-2607]|FIPS Approved: RSA and SHS|
---
<!-- Links -->
<!-- CMVP Certificates -->
[certificate-2600]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2600
[certificate-2601]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2601
[certificate-2602]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2602
[certificate-2603]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2603
[certificate-2604]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2604
[certificate-2605]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2605
[certificate-2606]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2606
[certificate-2607]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2607
[certificate-2700]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2700
[certificate-2701]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2701
[certificate-2702]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2702
[certificate-2703]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2703
[certificate-2931]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2931
[certificate-2932]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2932
[certificate-2933]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2933
[certificate-2934]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2934
[certificate-2935]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2935
[certificate-2936]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2936
[certificate-2937]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2937
[certificate-2938]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2938
[certificate-3089]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3089
[certificate-3090]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3090
[certificate-3091]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3091
[certificate-3092]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3092
[certificate-3093]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3093
[certificate-3094]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3094
[certificate-3095]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3095
[certificate-3096]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3096
[certificate-3194]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3194
[certificate-3195]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3195
[certificate-3196]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3196
[certificate-3197]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3197
[certificate-3415]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3415
[certificate-3426]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3426
[certificate-3427]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3427
[certificate-3437]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3437
[certificate-3447]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3447
[certificate-3451]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3451
[certificate-3464]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3464
[certificate-3469]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3469
[certificate-3480]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3480
[certificate-3487]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3487
[certificate-3501]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3501
[certificate-3502]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3502
[certificate-3510]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3510
[certificate-3513]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3513
[certificate-3615]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3615
[certificate-3644]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3644
[certificate-3651]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3651
[certificate-3690]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3690
[certificate-3923]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3923
[certificate-4339]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4339
[certificate-4348]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4348
[certificate-4457]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4457
[certificate-4511]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4511
[certificate-4512]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4512
[certificate-4515]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4515
[certificate-4536]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4536
[certificate-4537]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4537
[certificate-4538]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4538
<!-- Security Policies -->
[sp-2600]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2600.pdf
[sp-2601]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2601.pdf
[sp-2602]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2602.pdf
[sp-2603]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2603.pdf
[sp-2604]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2604.pdf
[sp-2605]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2605.pdf
[sp-2606]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2606.pdf
[sp-2607]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2607.pdf
[sp-2700]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2700.pdf
[sp-2701]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2701.pdf
[sp-2702]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2702.pdf
[sp-2703]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2703.pdf
[sp-2931]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2931.pdf
[sp-2932]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2932.pdf
[sp-2933]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2933.pdf
[sp-2934]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2934.pdf
[sp-2935]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2935.pdf
[sp-2936]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2936.pdf
[sp-2937]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2937.pdf
[sp-2938]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2938.pdf
[sp-3089]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3089.pdf
[sp-3090]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3090.pdf
[sp-3091]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3091.pdf
[sp-3092]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3092.pdf
[sp-3093]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3093.pdf
[sp-3094]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3094.pdf
[sp-3095]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3095.pdf
[sp-3096]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3096.pdf
[sp-3194]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3194.pdf
[sp-3195]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3195.pdf
[sp-3196]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3196.pdf
[sp-3197]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3197.pdf
[sp-3415]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3415.pdf
[sp-3426]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3426.pdf
[sp-3427]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3427.pdf
[sp-3437]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3437.pdf
[sp-3447]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3447.pdf
[sp-3451]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3451.pdf
[sp-3464]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3464.pdf
[sp-3469]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3469.pdf
[sp-3480]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3480.pdf
[sp-3487]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3487.pdf
[sp-3501]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3501.pdf
[sp-3502]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3502.pdf
[sp-3510]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3510.pdf
[sp-3513]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3513.pdf
[sp-3615]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3615.pdf
[sp-3644]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3644.pdf
[sp-3651]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3651.pdf
[sp-3690]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3690.pdf
[sp-3923]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3923.pdf
[sp-4339]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4339.pdf
[sp-4348]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4348.pdf
[sp-4457]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4457.pdf
[sp-4511]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4511.pdf
[sp-4512]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4512.pdf
[sp-4515]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4515.pdf
[sp-4536]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4536.pdf
[sp-4537]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4537.pdf
[sp-4538]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4537.pdf

34
windows/security/security-foundations/certification/validations/fips-140-windows11.md Normal file
View File

@ -0,0 +1,34 @@
---
title: FIPS 140 validated modules for Windows 11
description: This topic lists the completed FIPS 140 cryptographic module validations for Windows 11.
ms.date: 2/1/2024
ms.topic: reference
ms.author: v-rodurff
author: msrobertd
ms.reviewer: paoloma
ms.collection: tier3
---
# FIPS 140 validated modules for Windows 11
The following tables list the completed FIPS 140 validations of cryptographic modules used in Windows 11, organized by major release of the operating system. The linked Security Policy document for each module provides details on the module capabilities and the policies the operator must follow to use the module in its FIPS approved mode of operation. For information on using the overall operating system in its FIPS approved mode, see [Use Windows in a FIPS approved mode of operation](../fips-140-validation.md#use-windows-in-a-fips-approved-mode-of-operation). For details on the FIPS approved algorithms used by each module, including CAVP algorithm certificates, see the module's linked Security Policy document or CMVP module certificate.
## Windows 11, version 21H2
Build: 10.0.22000. Validated Edition: Windows 11
|Cryptographic Module (linked to Security Policy document)|CMVP Certificate #|Validated Algorithms|
|--- |--- |--- |
|[Boot Manager][sp-4546]|[#4546][certificate-4546]|FIPS Approved: AES, CKG, HMAC, PBKDF, RSA, and SHS|
---
<!-- Links -->
<!-- CMVP Certificates -->
[certificate-4546]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4546
<!-- Security Policies -->
[sp-4546]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4546.pdf

320
windows/security/security-foundations/certification/windows-platform-common-criteria.md
View File

@ -1,291 +1,75 @@
---
title: Common Criteria Certifications
description: This topic details how Microsoft supports the Common Criteria certification program.
ms.author: sushmanemali
author: s4sush
title: Windows Common Criteria certifications
description: Learn how Microsoft products are certified under the Common Criteria for Information Technology Security Evaluation program.
ms.date: 2/1/2024
ms.topic: reference
ms.date: 11/22/2023
ms.author: v-rodurff
author: msrobertd
ms.reviewer: paoloma
ms.collection:
- tier3
ms.collection: tier3
---
# Common Criteria certifications
Microsoft is committed to optimizing the security of its products and services. As part of that commitment, Microsoft supports the *Common Criteria Certification Program*, ensures that products incorporate the features and functions required by relevant *Common Criteria Protection Profiles*, and completes *Common Criteria certifications* of Microsoft Windows products. This topic lists the current and archived certified Windows products, together with relevant documentation from each certification.
Microsoft is committed to optimizing the security of its products and services. As part of that commitment, Microsoft supports the *Common Criteria for Information Technology Security Evaluation* program, ensures that products incorporate the features and functions required by relevant Common Criteria *Protection Profiles*, and completes Common Criteria certifications of Microsoft Windows products. This topic lists the Windows products certified against the Common Criteria (current and archived), together with documentation from each certification.
## Certified products
## Windows client operating systems
The product releases below are currently certified against the cited *Protection Profile*, as listed on the [Common Criteria Portal](https://www.commoncriteriaportal.org/products/):
The Windows client releases listed below have been certified against one or more Protection Profiles, as listed on the [Common Criteria Portal](https://commoncriteriaportal.org/pps/index.cfm). Click on a release for its certification details, including links to certification documents. The *Security Target* describes the product editions in scope, the security functionality in the product, and the assurance measures from the Protection Profile used as part of the evaluation. The *Administrative Guide* provides guidance on configuring the product to match the evaluated configuration. The *Certification Report* or *Validation Report* documents the results of the evaluation, with the *Assurance Activity Report* (where available) providing details on the evaluator's actions.
- The *Security Target* describes the product edition(s) in scope, the security functionality in the product, and the assurance measures from the *Protection Profile* used as part of the evaluation.
- The *Administrative Guide* provides guidance on configuring the product to match the evaluated configuration.
- The *Certification Report or Validation Report* documents the results of the evaluation by the validation team, with the *Assurance Activity Report* providing details on the evaluator's actions.
#### Windows 11 releases
### Windows 11 (version 22H2), Windows 10 (version 22H2), Windows Server 2022, Windows Server Datacenter: Azure Edition, Azure Stack HCIv2 version 22H2, Azure Stack Hub and Edge
- [Windows 11, version 22H2](validations/cc-windows11.md#windows-11-version-22h2)
- [Windows 11, version 21H2](validations/cc-windows11.md#windows-11-version-21h2)
Certified against the Protection Profile for General Purpose Operating Systems (4.2.1), the PP-Module for VPN Client (2.4), the PP-Module for Wireless Local Area Network Client (1.0) and the PP-Module for Bluetooth (1.0)
#### Windows 10 releases
- [Security Target](https://download.microsoft.com/download/2/6/c/26c2c205-db9f-474b-9ac7-bd8bf6ae463c/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Security%20Target%20(22H2).pdf)
- [Administrative Guide](https://download.microsoft.com/download/c/8/3/c83090c7-d299-4d26-a1c3-fb2bf2d77a7b/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Administrative%20Guide%20(22H2).pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/1/7/f/17fac352-5c93-4e4b-9866-3c0df4080164/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Public%20Assurance%20Activity%20Report%20(22H2).pdf)
- [Certification Report](https://download.microsoft.com/download/6/9/1/69101f35-1373-4262-8c5b-75e08bc2e365/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Validation%20Report%20(22H2).pdf)
- [Windows 10, version 22H2 (2022 Update)](validations/cc-windows10.md#windows-10-version-22h2-2022-update)
- [Windows 10, version 21H2 (November 2021 Update)](validations/cc-windows10.md#windows-10-version-21h2-november-2021-update)
- [Windows 10, version 21H1 (May 2021 Update)](validations/cc-windows10.md#windows-10-version-21h1-may-2021-update)
- [Windows 10, version 20H2 (October 2020 Update)](validations/cc-windows10.md#windows-10-version-20h2-october-2020-update)
- [Windows 10, version 2004 (May 2020 Update)](validations/cc-windows10.md#windows-10-version-2004-may-2020-update)
- [Windows 10, version 1909 (November 2019 Update)](validations/cc-windows10.md#windows-10-version-1909-november-2019-update)
- [Windows 10, version 1903 (May 2019 Update)](validations/cc-windows10.md#windows-10-version-1903-may-2019-update)
- [Windows 10, version 1803 (April 2018 Update)](validations/cc-windows10.md#windows-10-version-1803-april-2018-update)
- [Windows 10, version 1709 (Fall Creators Update)](validations/cc-windows10.md#windows-10-version-1709-fall-creators-update)
- [Windows 10, version 1703 (Creators Update)](validations/cc-windows10.md#windows-10-version-1703-creators-update)
- [Windows 10, version 1607 (Anniversary Update)](validations/cc-windows10.md#windows-10-version-1607-anniversary-update)
- [Windows 10, version 1511 (November 2015 Update)](validations/cc-windows10.md#windows-10-version-1511-november-2015-update)
- [Windows 10, version 1507 (initial release)](validations/cc-windows10.md#windows-10-version-1507-initial-version-released-july-2015)
### Windows 11, Windows 10 (version 20H2, 21H1, 21H2), Windows Server, Windows Server 2022, Azure Stack HCIv2 version 21H2, Azure Stack Hub and Edge
#### Previous Windows releases
Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients
- [Windows 8.1](validations/cc-windows-previous.md#windows-81)
- [Windows 8](validations/cc-windows-previous.md#windows-8)
- [Windows 7](validations/cc-windows-previous.md#windows-7)
- [Windows Vista](validations/cc-windows-previous.md#windows-vista)
- [Security Target](https://download.microsoft.com/download/c/5/9/c59832ff-414b-4f15-8273-d0c349a0b154/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Security%20Target%20(21H2%20et%20al).pdf)
- [Administrative Guide](https://download.microsoft.com/download/9/1/7/9178ce6a-8117-42e7-be0d-186fc4a89ca6/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Administrative%20Guide%20(21H2%20et%20al).pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/4/1/6/416151fe-63e7-48c0-a485-1d87148c71fe/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Assurance%20Activity%20Report%20(21H2%20et%20al).pdf)
- [Certification Report](https://download.microsoft.com/download/e/3/7/e374af1a-3c5d-42ee-8e19-df47d2c0e3d6/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Validation%20Report%20(21H2%20et%20al).pdf)
## Windows Server operating systems
### Windows 10, version 2004, Windows Server, version 2004, Windows Server Core Datacenter (Azure Fabric Controller), Windows Server Core Datacenter (Azure Stack)
The Windows Server releases listed below have been certified against one or more Protection Profiles, as listed on the [Common Criteria Portal](https://commoncriteriaportal.org/pps/index.cfm). Click on a release for its certification details, including links to certification documents. The *Security Target* describes the product editions in scope, the security functionality in the product, and the assurance measures from the Protection Profile used as part of the evaluation. The *Administrative Guide* provides guidance on configuring the product to match the evaluated configuration. The *Certification Report* or *Validation Report* documents the results of the evaluation, with the *Assurance Activity Report* (where available) providing details on the evaluator's actions.
Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients
#### Windows Server 2022, 2019, and 2016 releases
- [Security Target](https://download.microsoft.com/download/a/5/6/a5650848-e86a-4554-bb13-1ad6ff2d45d2/Windows%2010%202004%20GP%20OS%20Security%20Target.pdf)
- [Administrative Guide](https://download.microsoft.com/download/4/a/6/4a66a459-3c73-4c34-84bb-92cb20301206/Windows%2010%202004%20GP%20OS%20Administrative%20Guide.pdf)
- [Certification Report](https://download.microsoft.com/download/1/c/b/1cb65e32-f87d-41dd-bc29-88dc943fad9d/Windows%2010%202004%20GP%20OS%20Validation%20Reports.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/3/2/4/324562b6-0917-4708-8f9d-8d2d12859839/Windows%2010%202004%20GP%20OS%20Assurance%20Activity%20Report-Public%20.pdf)
- [Windows Server 2022](validations/cc-windows-server-2022-2019-2016.md#windows-server-2022)
- [Windows Server 2019](validations/cc-windows-server-2022-2019-2016.md#windows-server-2019)
- [Windows Server 2016](validations/cc-windows-server-2022-2019-2016.md#windows-server-2016)
### Windows 10, version 1909, Windows Server, version 1909, Windows Server 2019, version 1809 Hyper-V
#### Windows Server semi-annual releases
Certified against the Protection Profile for Virtualization, including the Extended Package for Server Virtualization.
- [Windows Server, version 20H2 (October 2020 Update)](validations/cc-windows-server-semi-annual.md#windows-server-version-20h2-october-2020-update)
- [Windows Server, version 2004 (May 2020 Update)](validations/cc-windows-server-semi-annual.md#windows-server-version-2004-may-2020-update)
- [Windows Server, version 1909 (November 2019 Update)](validations/cc-windows-server-semi-annual.md#windows-server-version-1909-november-2019-update)
- [Windows Server, version 1903 (May 2019 Update)](validations/cc-windows-server-semi-annual.md#windows-server-version-1903-may-2019-update)
- [Windows Server, version 1809 (October 2018 Update)](validations/cc-windows-server-semi-annual.md#windows-server-version-1809-october-2018-update)
- [Windows Server, version 1803 (April 2018 Update)](validations/cc-windows-server-semi-annual.md#windows-server-version-1803-april-2018-update)
- [Windows Server, version 1709 (Fall Creators Update)](validations/cc-windows-server-semi-annual.md#windows-server-version-1709-fall-creators-update)
- [Security Target](https://download.microsoft.com/download/5/f/6/5f6efbb4-88a0-4161-953d-de07450b7107/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Security%20Target.pdf)
- [Administrative Guide](https://download.microsoft.com/download/7/5/0/750db292-f3d3-48c9-9557-aa64237a0e22/Virtualization%201909%20Administrative%20Guide.pdf)
- [Validation Report](https://download.microsoft.com/download/4/7/6/476ca991-631d-4943-aa89-b0cd4f448d14/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Validation%20Report.pdf)
- [Assurance Activities Report](https://download.microsoft.com/download/3/b/4/3b4818d8-62a1-4b8d-8cb4-9b3256564355/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Assurance%20Activity%20Report.pdf)
#### Previous Windows Server releases
### Windows 10, version 1909, Windows Server, version 1909
Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients.</b></summary>
- [Security Target](https://download.microsoft.com/download/b/3/7/b37981cf-040a-4b02-a93c-a3d3a93986bf/Windows%2010%201909%20GP%20OS%20Security%20Target.pdf)
- [Administrative Guide](https://download.microsoft.com/download/7/7/3/77303254-05fb-4009-8a39-bf5fe7484a41/Windows%2010%201909%20GP%20OS%20Administrative%20Guide.pdf)
- [Certification Report](https://download.microsoft.com/download/9/f/3/9f350b73-1790-4dcb-97f7-a0e65a00b55f/Windows%2010%201909%20GP%20OS%20Certification%20Report.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/0/0/d/00d26b48-a051-4e9a-8036-850d825f8ef9/Windows%2010%201909%20GP%20OS%20Assurance%20Activity%20Report.pdf)
### Windows 10, version 1903, Windows Server, version 1903
Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients.</b></summary>
- [Security Target](https://download.microsoft.com/download/c/6/9/c6903621-901e-4603-b9cb-fbfe5d6aa691/Windows%2010%201903%20GP%20OS%20Security%20Target.pdf)
- [Administrative Guide](https://download.microsoft.com/download/0/b/b/0bb1c6b7-499a-458e-a5f8-e9cf972dfa8d/Windows%2010%201903%20GP%20OS%20Administrative%20Guide.pdf)
- [Certification Report](https://download.microsoft.com/download/2/1/9/219909ad-2f2a-44cc-8fcb-126f28c74d36/Windows%2010%201903%20GP%20OS%20Certification%20Report.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/2/a/1/2a103b68-cd12-4476-8945-873746b5f432/Windows%2010%201903%20GP%20OS%20Assurance%20Activity%20Report.pdf)
### Windows 10, version 1809, Windows Server, version 1809
Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients.
- [Security Target](https://download.microsoft.com/download/3/f/e/3fe6938d-2c2d-4ef1-85d5-1d42dc68ea89/Windows%2010%20version%201809%20GP%20OS%20Security%20Target.pdf)
- [Administrative Guide](https://download.microsoft.com/download/f/f/1/ff186e32-35cf-47db-98b0-91ff11763d74/Windows%2010%20version%201809%20GP%20OS%20Administrative%20Guide.pdf)
- [Certification Report](https://download.microsoft.com/download/9/4/0/940ac551-7757-486d-9da1-7aa0300ebac0/Windows%2010%20version%201809%20GP%20OS%20Certification%20Report%20-%202018-61-INF-2795.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/a/6/6/a66bfcf1-f6ef-4991-ab06-5b1c01f91983/Windows%2010%201809%20GP%20OS%20Assurance%20Activity%20Report.pdf)
### Windows 10, version 1803, Windows Server, version 1803
Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients.
- [Security Target](https://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf)
- [Administrative Guide](https://download.microsoft.com/download/6/C/1/6C13FBFF-9CB0-455F-A1C8-3E3CB0ACBD7B/Windows%2010%201803%20GP%20OS%20Administrative%20Guide.pdf)
- [Certification Report](https://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/b/3/d/b3da41b6-6ebc-4a26-a581-2d2ad8d8d1ac/Windows%2010%201803%20GP%20OS%20Assurance%20Activity%20Report.pdf)
### Windows 10, version 1709, Windows Server, version 1709
Certified against the Protection Profile for General Purpose Operating Systems.
- [Security Target](https://download.microsoft.com/download/B/6/A/B6A5EC2C-6351-4FB9-8FF1-643D4BD5BE6E/Windows%2010%201709%20GP%20OS%20Security%20Target.pdf)
- [Administrative Guide](https://download.microsoft.com/download/5/D/2/5D26F473-0FCE-4AC4-9065-6AEC0FE5B693/Windows%2010%201709%20GP%20OS%20Administrative%20Guide.pdf)
- [Certification Report](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/e/7/6/e7644e3c-1e59-4754-b071-aec491c71849/Windows%2010%201709%20GP%20OS%20Assurance%20Activity%20Report.pdf)
### Windows 10, version 1703, Windows Server, version 1703
Certified against the Protection Profile for General Purpose Operating Systems.
- [Security Target](https://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf)
- [Administrative Guide](https://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf)
- [Certification Report](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/a/e/9/ae9a2235-e1cd-4869-964d-c8260f604367/Windows%2010%201703%20GP%20OS%20Assurance%20Activity%20Report.pdf)
### Windows 10, version 1607, Windows Server 2016
Certified against the Protection Profile for General Purpose Operating Systems.
- [Security Target](https://download.microsoft.com/download/f/8/c/f8c1c2a4-719c-48ae-942f-9fd3ce5b238f/windows%2010%20au%20and%20server%202016%20gp%20os%20security%20target%20-%20public%20\(december%202%202016\)%20\(clean\).docx)
- [Administrative Guide](https://download.microsoft.com/download/b/5/2/b52e9081-05c6-4895-91a3-732bfa0eb4da/windows%2010%20au%20and%20server%202016%20gp%20os%20operational%20guidance%20\(final\).docx)
- [Validation Report](https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/a/5/f/a5f08a43-75f9-4433-bd77-aeb14276e587/Windows%2010%201607%20GP%20OS%20Assurance%20Activity%20Report.pdf)
### Windows 10, version 1507, Windows Server 2012 R2
Certified against the Protection Profile for General Purpose Operating Systems.
- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_windows10.pdf)
- [Administrative Guide](https://download.microsoft.com/download/0/f/d/0fd33c9a-98ac-499e-882f-274f80f3d4f0/microsoft%20windows%2010%20and%20server%202012%20r2%20gp%20os%20guidance.pdf)
- [Certification Report](https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/7/e/5/7e5575c9-10f9-4f3d-9871-bd7cf7422e3b/Windows%2010%20(1507),%20Windows%20Server%202012%20R2%20GPOS%20Assurance%20Activity%20Report.pdf)
## Archived certified products
The product releases below were certified against the cited *Protection Profile* and are now archived, as listed on the [Common Criteria Portal](https://www.commoncriteriaportal.org/products/index.cfm?archived=1):
- The *Security Target* describes the product edition(s) in scope, the security functionality in the product, and the assurance measures from the *Protection Profile* used as part of the evaluation
- The *Administrative Guide* provides guidance on configuring the product to match the evaluated configuration
- The *Certification Report or Validation Report* documents the results of the evaluation by the validation team, with the *Assurance Activity Report* providing details on the evaluator's actions
### Windows Server 2016, Windows Server 2012 R2, Windows 10
Certified against the Protection Profile for Server Virtualization.
- [Security Target](https://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf)
- [Administrative Guide](https://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf)
- [Validation Report](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/3/f/c/3fcc76e1-d471-4b44-9a19-29e69b6ab899/Windows%2010%20Hyper-V,%20Server%202016,%20Server%202012%20R2%20Virtualization%20Assurance%20Activity%20Report.pdf)
### Windows 10, version 1607, Windows 10 Mobile, version 1607
Certified against the Protection Profile for Mobile Device Fundamentals.
- [Security Target](https://download.microsoft.com/download/1/5/e/15eee6d3-f2a8-4441-8cb1-ce8c2ab91c24/windows%2010%20anniversary%20update%20mdf%20security%20target%20-%20public%20\(april%203%202017\).docx)
- [Administrative Guide](https://download.microsoft.com/download/4/c/1/4c1f4ea4-2d66-4232-a0f5-925b2bc763bc/windows%2010%20au%20operational%20guidance%20\(16%20mar%202017\)\(clean\).docx)
- [Validation Report](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/9/3/9/939b44a8-5755-4d4c-b020-d5e8b89690ab/Windows%2010%20and%20Windows%2010%20Mobile%201607%20MDF%20Assurance%20Activity%20Report.pdf)
### Windows 10, version 1607, Windows Server 2016 (VPN)
Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients.
- [Security Target](https://download.microsoft.com/download/b/f/5/bf59e430-e57b-462d-8dca-8ac3c93cfcff/windows%2010%20anniversary%20update%20ipsec%20vpn%20client%20security%20target%20-%20public%20\(december%2029%202016\)%20\(clean\).docx)
- [Administrative Guide](https://download.microsoft.com/download/2/c/c/2cc8f929-233e-4a40-b673-57b449680984/windows%2010%20au%20and%20server%202016%20ipsec%20vpn%20client%20operational%20guidance%20\(21%20dec%202016\)%20\(public\).docx)
- [Validation Report](https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/b/8/d/b8ddc36a-408a-4d64-a31c-d41c9c1e9d9e/Windows%2010%201607,%20Windows%20Server%202016%20IPsec%20VPN%20Client%20Assurance%20Activity%20Report.pdf)
### Windows 10, version 1511
Certified against the Protection Profile for Mobile Device Fundamentals.
- [Security Target](https://download.microsoft.com/download/a/c/2/ac2a6ed8-4d2f-4f48-a9bf-f059d6c9af38/windows%2010%20mdf3%20security%20target%20-%20public%20\(june%2022%202016\)\(final\).docx)
- [Administrative Guide](https://download.microsoft.com/download/3/2/c/32c6fa02-b194-478f-a0f6-0215b47d0f40/windows%2010%20mdf3%20mobile%20device%20pp%20operational%20guidance%20\(may%2027,%202016\)\(public\).docx)
- [Validation Report](https://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/1/f/1/1f12ed80-6d73-4a16-806f-d5116814bd7c/Windows%2010%20November%202015%20Update%20(1511)%20MDF%20Assurance%20Activity%20Report.pdf)
### Windows 10, version 1507, Windows 10 Mobile, version 1507
Certified against the Protection Profile for Mobile Device Fundamentals.
- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10677-st.pdf)
- [Administrative Guide](https://download.microsoft.com/download/2/d/c/2dce3435-9328-48e2-9813-c2559a8d39fa/microsoft%20windows%2010%20and%20windows%2010%20mobile%20guidance.pdf)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10694-vr.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/a/1/3/a1365491-0a53-42cd-bd73-ca4067c43d86/Windows%2010,%20Windows%2010%20Mobile%20(1507)%20MDF%20Assurance%20Activity%20Report.pdf)
### Windows 10, version 1507
Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients.
- [Security Target](https://download.microsoft.com/download/3/7/2/372beb03-b1ed-4bb6-9b9b-b8f43afc570d/st_vid10746-st.pdf)
- [Administrative Guide](https://download.microsoft.com/download/3/3/f/33fa01dd-b380-46e1-833f-fd85854b4022/st_vid10746-agd.pdf)
- [Validation Report](https://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf)
- [Assurance Activity Report](https://download.microsoft.com/download/9/3/6/93630ffb-5c06-4fea-af36-164da3e359c9/Windows%2010%20IPsec%20VPN%20Client%20Assurance%20Activity%20Report.pdf)
### Windows 8.1 with Surface 3, Windows Phone 8.1 with Lumia 635 and Lumia 830
Certified against the Protection Profile for Mobile Device Fundamentals.
- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10635-st.pdf)
- [Administrative Guide](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10635-vr.pdf)
### Surface Pro 3, Windows 8.1
Certified against the Protection Profile for Mobile Device Fundamentals.
- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10632-st.pdf)
- [Administrative Guide](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10632-vr.pdf)
### Windows 8.1, Windows Phone 8.1
Certified against the Protection Profile for Mobile Device Fundamentals.
- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10592-st.pdf)
- [Administrative Guide](https://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10592-vr.pdf)
### Windows 8, Windows Server 2012
Certified against the Protection Profile for General Purpose Operating Systems.
- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10520-st.pdf)
- [Administrative Guide](https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10520-vr.pdf)
### Windows 8, Windows RT
Certified against the Protection Profile for General Purpose Operating Systems.
- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10620-st.pdf)
- [Administrative Guide](https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10620-vr.pdf)
### Windows 8, Windows Server 2012 BitLocker
Certified against the Protection Profile for Full Disk Encryption.
- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10540-st.pdf)
- [Administrative Guide](https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf)
### Windows 8, Windows RT, Windows Server 2012 IPsec VPN Client
Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients.
- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10529-st.pdf)
- [Administrative Guide](https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf)
### Windows 7, Windows Server 2008 R2
Certified against the Protection Profile for General Purpose Operating Systems.
- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10390-st.pdf)
- [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf)
### Microsoft Windows Server 2008 R2 Hyper-V Role
- [Security Target](https://www.microsoft.com/download/en/details.aspx?id=29305)
- [Administrative Guide](https://www.microsoft.com/download/en/details.aspx?id=29308)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf)
### Windows Vista, Windows Server 2008 at EAL4+
- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf)
- [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf)
### Windows Vista, Windows Server 2008 at EAL1
- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf)
- [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567)
- [Certification Report](https://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf)
### Microsoft Windows Server 2008 Hyper-V Role
- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf)
- [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08)
- [Certification Report](http://www.commoncriteriaportal.org:80/files/epfiles/0570a_pdf.pdf)
### Windows Server 2003 Certificate Server
- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf)
### Windows Rights Management Services
- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf)
- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf)
- [Windows Server 2012 R2](validations/cc-windows-server-previous.md#windows-server-2012-r2)
- [Windows Server 2012](validations/cc-windows-server-previous.md#windows-server-2012)
- [Windows Server 2008 R2](validations/cc-windows-server-previous.md#windows-server-2008-r2)
- [Windows Server 2008](validations/cc-windows-server-previous.md#windows-server-2008)
- [Windows Server 2003 Certificate Server](validations/cc-windows-server-previous.md#windows-server-2003-certificate-server)
- [Windows Rights Management Services](validations/cc-windows-server-previous.md#windows-rights-management-services)